This chapter shows you how to configure your own File Server or File Server Cluster for use with Windows Azure Pack: Web Sites.
Background
If you choose the Standalone Windows File Server option during installation, file server preparation is not required and is automated for you. However, although the Standalone option is useful for "proof of concept" installations, a production environment usually requires a more robust solution such as a Windows File Server Cluster or third-party Network Attached Storage device (NAS). Windows Azure Pack: Web Sites uses does not depend on per-web site file share permissions, which enables it to work with heterogeneous file storage implementations such as NAS devices.
Warning |
Windows Azure Pack: Web Sites relies on File Server Resource Manager (FSRM), which does not support scale-out file servers.
Five Main Steps
Pre-configuring your own Windows File Server, Windows File Server Cluster, or third party NAS device involves the following five main steps. The implementation of these steps varies depending on whether you are working in an Active Directory domain or in a workgroup environment. Steps for both environments are presented.
Note |
Although it is beyond the scope of this document to provide configuration instructions for third-party NAS devices, you should generally follow the procedures presented here, making adjustments as required by your non-Windows file cluster or NAS device.
1. Provision Groups and Accounts
2. Enable Windows Remote Management (WinRM) and File Server Resource Manager (FSRM)
3. Provision the Content Share and the Certificate Share
4. Add the FileShareOwners group to the local Administrators group to enable WinRM
5. Configure access control to the shares
1. Create the following Active Directory global security groups:
a. FileShareOwners
b. FileShareUsers
c. CertStoreFSUsers
2. Create the following Active Directory accounts as service accounts. The accounts to create are
a. FileShareOwner
b. FileShareUser
c. CentralCertStoreUser (When the standalone file server option is used, this account is called CertificateShareUser).
Note |
As a security best practice, the users for these accounts (and for all Web Roles) should be distinct from each other and have strong user names and passwords. For more information, see Windows Azure Pack: Web Sites Security Enhancements.
The FileShareOwner, FileShareUser, and CentralCertStoreUser passwords must be set with the following conditions:
· Enable Password never expires
· Enable User cannot change password
· Disable User must change password at next logon
3. Add the accounts to the group memberships as follows:
a. Add FileShareOwner to the FileShareOwners group
b. Add FileShareUser to the FileShareUsers group
c. Add CentralCertStoreUser to the CertStoreFSUsers group
On a workgroup, run net and WMIC commands to provision groups and accounts.
1. Run the following commands to create the FileShareOwner, FileShareUser, and CentralCertStoreUser accounts. Replace <password> with your own values.
net user FileShareOwner <password> /add /expires:never /passwordchg:no
net user FileShareUser <password> /add /expires:never /passwordchg:no
net user CentralCertStoreUser <password> /add /expires:never /passwordchg:no
2. Set the passwords for the accounts just created to never expire by running the following WMIC commands:
WMIC USERACCOUNT WHERE "Name='FileShareOwner'" SET PasswordExpires=FALSE
WMIC USERACCOUNT WHERE "Name='FileShareUser'" SET PasswordExpires=FALSE
WMIC USERACCOUNT WHERE "Name='CentralCertStoreUser'" SET PasswordExpires=FALSE
3. Create the local groups CertStoreFSUsers, FileShareUsers and FileShareOwners, and add the accounts in the first step to them.
net localgroup CertStoreFSUsers /add
net localgroup CertStoreFSUsers CentralCertStoreUser /add
net localgroup FileShareUsers /add
net localgroup FileShareUsers FileShareUser /add
net localgroup FileShareOwners /add
net localgroup FileShareOwners FileShareOwner /add
On the File Server role, or on each node of the Windows File Server Cluster if you are using a cluster, run the following commands at an elevated command prompt to configure WinRM and FSRM:
powershell.exe Enable-PSRemoting –Force
winrm.cmd set winrm/config/winrs @{MaxConcurrentUsers="10";MaxShellsPerUser="50";MaxProcessesPerShell="5000";IdleTimeout="10000"}
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new remoteip=any
%windir%\system32\dism.exe /online /enable-feature /featurename:FSRM-Management /featurename:FSRM-Infrastructure /all
The Content Share contains tenant web site content, whereas the Certificate Share contains custom tenant certificates.
The procedure to provision the content share and the certificate share on a single file server is the same for both Active Directory and Workgroup environments, but different for a Failover cluster in Active Directory.
On a single file server, run the following commands at an elevated command prompt. Replace the values for <C:\WebSites> and <C:\Certificates> with the corresponding paths in your environment.
set WEBSITES_SHARE=WebSites
set CERTIFICATES_SHARE=Certificates
set WEBSITES_FOLDER=<C:\WebSites>
set CERTIFICATES_FOLDER=<C:\Certificates>
md %WEBSITES_FOLDER%
md %CERTIFICATES_FOLDER%
net share %WEBSITES_SHARE% /delete
net share %WEBSITES_SHARE%=%WEBSITES_FOLDER% /grant:Everyone,full
net share %CERTIFICATES_SHARE% /delete
net share %CERTIFICATES_SHARE%=%CERTIFICATES_FOLDER% /grant:Everyone,full
On the Failover cluster, create the following UNC clustered resources:
1. WebSites
2. Certificates
In order for Windows Remote Management to work properly, you must add the FileShareOwners group to the local Administrators group.
Execute the following commands at an elevated command prompt on the File Server, or on every File Server Failover Cluster node. Replace the value for <DOMAIN> with the domain name you will use.
set DOMAIN=<DOMAIN>
net localgroup Administrators %DOMAIN%\FileShareOwners /add
Execute the following command at an elevated command prompt on the File Server.
net localgroup Administrators FileShareOwners /add
Execute the following commands at an elevated command prompt on the File Server or on the File Server Failover Cluster node which is the current cluster resource owner. Replace values in italics with values specific to your environment.
set DOMAIN=<DOMAIN>
set WEBSITES_FOLDER=<C:\WebSites>
set CERTIFICATES_FOLDER=<C:\Certificates>
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)
icacls %CERTIFICATES_FOLDER% /reset
icacls %CERTIFICATES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(F)
icacls %CERTIFICATES_FOLDER% /inheritance:r
icacls %CERTIFICATES_FOLDER% /grant %DOMAIN%\CertStoreFSUsers:(OI)(CI)(RX)
set WEBSITES_FOLDER=<C:\WebSites>
set CERTIFICATES_FOLDER=<C:\Certificates>
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)
icacls %CERTIFICATES_FOLDER% /reset
icacls %CERTIFICATES_FOLDER% /grant FileShareOwners:(OI)(CI)(F)
icacls %CERTIFICATES_FOLDER% /inheritance:r
icacls %CERTIFICATES_FOLDER% /grant CertStoreFSUsers:(OI)(CI)(RX)
Deploy Windows Azure Pack: Web Sites