Installing the Virtual Server Administration Website on a Separate Computer

  • Article

Virtual Server can be configured so that the Virtual Server service and the Administration Website, with its corresponding installation of IIS, are on different computers. IIS is required only on the computer on which the Administration Website is installed.

You may want to install the Administration Website on a different physical computer under either of the following circumstances:

  • You want to have a physical computer dedicated to running only the Virtual Server service. This might be for performance or security considerations.
  • You want to have multiple physical computers running Virtual Server, but you want only one IIS server.

Important

If you want to deploy Virtual Server in this configuration, you must also be running Active Directory® and have administrator privileges on the domain controller. However, if you have or will have any domain controllers running Microsoft® Windows NT® 4.0 and earlier or Microsoft Windows® 2000 operating systems, then you cannot configure the Administration website on a separate computer. For more information, see the section "Configuring constrained delegation."

This paper describes how to configure the Virtual Server service and Administration website on separate computers for both a new installation of Virtual Server and an existing installation of Virtual Server.

Configuring a new installation of Virtual Server

The following procedures describe how to configure a new installation of Virtual Server so that the Virtual Server service and the Administration website are on separate computers.

To install the Virtual Server service

  1. On the computer on which you intend to install the Virtual Server service, start the Virtual Server Setup Wizard from the Virtual Server 2005 CD-ROM. If you start the Setup Wizard manually, be sure to use Setup.exe.

  2. Proceed through the wizard until you reach the Setup Type page.

  3. On the Setup Type page, select Custom, and then click Next.

  4. Click Virtual Server Web Application, select This feature will not be available, and then click Next.

    Installing the Virtual Server service component

  5. Click Install to begin the installation.

  6. Once the installation is complete, the Setup Complete page appears. Click Finish to close the page and exit the Setup Wizard.

To install the Administration Website

  1. On the computer on which you intend to install the Administration Website for Virtual Server, install the World Wide Web Service component of Internet Information Services (IIS) 6.0 before starting any installation procedures. For more information, see "To install IIS, add components, or remove components using Control Panel" in Installing IIS (https://go.microsoft.com/fwlink/?LinkId=20033).

  2. On the same computer on which you installed IIS, start the Virtual Server Setup Wizard from the Virtual Server 2005 CD-ROM. If you start the Setup Wizard manually, be sure to use Setup.exe.

  3. Proceed through the wizard until you reach the Setup Type page.

  4. On the Setup Type page, select Custom, and then click Next.

  5. Click Virtual Server Service, select This feature will not be available, and then click Next.

    Installing only the Administration Website

  6. On the Configure Components page, either accept the default Website port value of 1024, or type a new value for the port.

  7. Do one of the following:

    • If you have resource files on the same computer running the Virtual Server service, and you want to use basic authentication rather than configure constrained delegation, select Configure the Administration Website to always run as the authenticated user, and then click Next. For more information about basic authentication and constrained delegation, see the next section.
    • Otherwise, select Configure the Administration Website to always run as the Local System account, and then click Next.

    Configure Administration Website for delegation

  8. Click Install to begin the installation.

  9. Once the installation is complete, the Setup Complete page appears. Click Finish to close the page and exit the Setup Wizard.

Note

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. When installation is complete, Microsoft Internet Explorer opens and an installation summary appears. In addition, a dialog box may appear depending on whether you have enabled Internet Explorer Enhanced Security Configuration. You can click OK to dismiss this message.

When the Administration Website (VSWebApp.exe) is installed on a different computer than the Virtual Server service (Vssrvc.exe), you must configure constrained delegation on the Active Directory domain controller or enable basic authentication for the Administration Website. For more information, see the following section.

Deployment Topologies

There are two deployment topologies available when you want to move the Administration Website and Virtual Server service to separate computers.

Storing resource files on the computer running the Virtual Server service

If you choose to store resource files, such as virtual hard disk (.vhd) files and ISO image (.iso) files on the computer on which the Virtual Server service is running, then there are additional configuration steps required. You must do one of the following:

  • Configure constrained delegation on the domain controller, which is described later in this document, -OR-.

  • Enable Basic authentication for the Administration Website. By default, Virtual Server uses Integrated Windows authentication. This is the preferred method of authentication, and typically you should not make changes to this setting. Certain risks are involved with using Basic authentication. For more information about configuring authentication, see the documentation for Internet Information Services (IIS).

    Important

    If you enable Basic authentication, we strongly recommend that you also implement Secure Sockets Layer (SSL) security for the Administration Website. This is because with Basic authentication, passwords are transmitted in plaintext. You configure SSL for the Administration Website from within IIS. For instructions, see the documentation for IIS.

Storing resource files on a computer other than the one on which the Virtual Server service is running

If you choose to store resource files on a computer other than the one on which the Virtual Server service is running, then you must configure constrained delegation on the domain controller.

Configuring constrained delegation

Important

Constrained delegation is not supported when using Windows XP Professional as your host operating system.

Constrained delegation is the ability to specify that a computer or service account can perform Kerberos delegation to a limited set of services. This allows the credentials of the user who is logged on to the Administration Website, who may not have administrative credentials, to be passed to the computer that is storing the resource files, such as virtual hard disk (.vhd) files and ISO image (.iso) files, so that the user can access the files. In this scenario, you must use Integrated Windows authentication. Delegation does not work with Basic authentication.

The following figure illustrates how constrained delegation works when the Virtual Server service, the Administration website, and the resource files are all located on different servers.

Constrained delegation and Virtual Server

Alternatively, if the Virtual Server service and resource files are all located on the same computer, then constrained delegation works as illustrated in the following figure:

Constrained delegation with remote Web server only

Before you begin configuring constrained delegation, make sure that you have performed the following tasks:

  • Complete the installation of Virtual Server, as described previously in this document. For constrained delegation to work, you must perform a custom installation and select the installation option to run the Administration Website as the Local System account. If you do not, you will have to uninstall and reinstall Virtual Server before you can configure constrained delegation.
  • Verify that the domain controller is configured for a Microsoft Windows Server™ 2003 native domain. If necessary, raise the functional level of the domain from Windows 2000 (the default) to Microsoft Windows Server™ 2003. For instructions, see "Raise the domain function level" on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=51683).

Warning

If you have or will have any domain controllers running Windows NT 4.0 and earlier or Windows 2000 operating systems, then do not raise the domain functional level to the Windows Server 2003 operating systems. Once the domain functional level is set to Windows Server 2003, it cannot be changed back to Windows 2000 mixed or Windows 2000 native.

Follow these instructions to allow the computer running the Virtual Server service to delegate the credentials of the logged-on user to another computer. This allows users to access resource files stored on a computer other than the one running the Virtual Server service.

Important

If the Virtual Server service is running on the same computer on which you are storing resources files, both of the following procedures will be performed on the same computer in step 3.

To allow the Virtual Server service to delegate a user’s credentials to another computer

  1. On the domain controller, open Active Directory Users and Computers.

  2. In the console tree, under DomainName, click Computers.

  3. Right-click the computer running the Virtual Server service, and then click Properties.

  4. On the Delegation tab, click Trust this computer for delegation to specified services only.

  5. Click Use any authentication protocol.

    Configuring Active Directory delegation

  6. Click Add, and then click Users and Computers.

  7. Type the name of the computer on which the resources file are stored, and then click OK.

  8. From the list of available services, select cifs, and then click OK

Follow these instructions to allow the Web server to delegate the credentials of the logged-on user to the computer running the Virtual Server service.

To allow the Web server to delegate a user’s credentials to the Virtual Server service

  1. On the domain controller, open Active Directory Users and Computers.

  2. In the console tree, under DomainName, click Computers.

  3. Right-click the Web server, and then click Properties.

  4. On the Delegation tab, click Trust this computer for delegation to specified services only.

  5. Click Use any authentication protocol.

    Configuring Active Directory delegation

  6. Click Add, and then click Users and Computers.

  7. Type the name of the computer running the Virtual Server service, and then click OK.

  8. From the list of available services, hold down the CTRL key while clicking cifs and vssrvc, and then click OK.

  9. Repeat as necessary for additional computers running the Virtual Server service.

Important

For instructions on how to manage an instance of Virtual Server on a computer separate from the computer on which the Administration website is installed, see "Select the Virtual Server instance to manage" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=51324).

Configuring an existing installation of Virtual Server

This section describes how to configure an existing installation of Virtual Server where the Administration website and Virtual Server service are on the same computer so that the Administration website and Virtual Server service are on separate computers.

To move the Administration website and Virtual Server service to separate computers

  1. Uninstall IIS from the computer on which Virtual Server is currently installed. For more information, see "To install IIS, add components, or remove components using Control Panel" in Installing IIS (https://go.microsoft.com/fwlink/?LinkId=20033).

  2. Uninstall the Administration website component of Virtual Server from the computer on which Virtual Server is currently installed.

  3. Perform the procedure "To install the Administration website" in the previous section, "Configuring a new installation of Virtual Server."

  4. Perform the procedures "To allow the Virtual Server service to delegate a user’s credentials to another computer" and "To allow the Web server to delegate a user’s credentials to the Virtual Server service" in the previous section, "Configuring constrained delegation."

  5. For instructions on how to manage an instance of Virtual Server on a computer separate from the computer on which the Administration website is installed, "Select the Virtual Server instance to manage" on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=51324).