Pre-configure a Windows File Server Cluster or NAS device for Windows Azure Pack: Web Sites

 

Updated: August 11, 2015

Applies To: Windows Azure Pack

This chapter shows you how to configure your own File Server or File Server Cluster for use with Windows Azure Pack: Web Sites.

Background

If you choose the Standalone Windows File Server option during installation, file server preparation is not required and is automated for you. However, although the Standalone option is useful for "proof of concept" installations, a production environment usually requires a more robust solution such as a Windows File Server Cluster or third-party Network Attached Storage device (NAS). Windows Azure Pack: Web Sites uses does not depend on per-web site file share permissions, which enables it to work with heterogeneous file storage implementations such as NAS devices.

Warning

Windows Azure Pack: Web Sites relies on File Server Resource Manager (FSRM), which does not support scale-out file servers.

Note

As of Update Release 6, Windows Azure Pack: Web Sites no longer requires a Certificate Share and associated users. You will not be required to provide them in new installations. In upgraded installations the credentials and share remain but will not be used.

Five Main Steps

Pre-configuring your own Windows File Server, Windows File Server Cluster, or third party NAS device involves the following five main steps. The implementation of these steps varies depending on whether you are working in an Active Directory domain or in a workgroup environment. Steps for both environments are presented.

Note

Although it is beyond the scope of this document to provide configuration instructions for third-party NAS devices, you should generally follow the procedures presented here, making adjustments as required by your non-Windows file cluster or NAS device.

1. Provision Groups and Accounts

2. Enable Windows Remote Management (WinRM)

3. Provision the Content Share

4. Add the FileShareOwners group to the local Administrators group to enable WinRM

5. Configure access control to the shares

   

1. Provision Groups and Accounts

Provision Groups and Accounts in Active Directory

  1. Create the following Active Directory global security groups:

    1. FileShareOwners

    2. FileShareUsers

  2. Create the following Active Directory accounts as service accounts. The accounts to create are

    1. FileShareOwner

    2. FileShareUser

      Note

      As a security best practice, the users for these accounts (and for all Web Roles) should be distinct from each other and have strong user names and passwords. For more information, see Windows Azure Pack: Web Sites Security Enhancements.

    3. The FileShareOwner and FileShareUser passwords must be set with the following conditions:

      • Enable Password never expires

      • Enable User cannot change password

      • Disable User must change password at next logon

  3. Add the accounts to the group memberships as follows:

    1. Add FileShareOwner to the FileShareOwners group

    2. Add FileShareUser to the FileShareUsers group

Provision Groups and Accounts in a Workgroup

On a workgroup, run net and WMIC commands to provision groups and accounts.

  1. Run the following commands to create the FileShareOwner and FileShareUser accounts. Replace <password> with your own values.

    net user FileShareOwner <password> /add /expires:never /passwordchg:no
    net user FileShareUser <password> /add /expires:never /passwordchg:no
    
  2. Set the passwords for the accounts just created to never expire by running the following WMIC commands:

    WMIC USERACCOUNT WHERE "Name='FileShareOwner'" SET PasswordExpires=FALSE
    WMIC USERACCOUNT WHERE "Name='FileShareUser'" SET PasswordExpires=FALSE
    
  3. Create the local groups FileShareUsers and FileShareOwners, and add the accounts in the first step to them.

    net localgroup FileShareUsers /add
    net localgroup FileShareUsers FileShareUser /add
    net localgroup FileShareOwners /add
    net localgroup FileShareOwners FileShareOwner /add
    

2. Enable Windows Remote Management (WinRM)

On the File Server role, or on each node of the Windows File Server Cluster if you are using a cluster, run the following commands at an elevated command prompt to configure WinRM:

powershell.exe Enable-PSRemoting –Force
winrm.cmd set winrm/config/winrs @{MaxConcurrentUsers="10";MaxShellsPerUser="50";MaxProcessesPerShell="5000";IdleTimeout="10000"}

netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new remoteip=any

%windir%\system32\dism.exe /online /enable-feature /featurename:FSRM-Infrastructure /all

Warning

Do not run the above commands from a batch file. If you do so, the batch file will exit prematurely after the winrm.cmd script completes.

Optionally enable the File Server Resource Manager (FSRM) user interface on non-server core Windows

If you are not installing on Server Core for Windows Server, you can optionally enable the user interface for the File Server Resource Manager (FSRM).

Note

The FSRM user interface is not required. It cannot be installed on Server Core for Windows.

To enable the FSRM user interface, run the following command at an elevated command prompt:

%windir%\system32\dism.exe /online /enable-feature /featurename:FSRM-Management /all

3. Provision the Content Share

The Content Share contains tenant web site content.

The procedure to provision the content share on a single file server is the same for both Active Directory and Workgroup environments, but different for a Failover cluster in Active Directory.

Provision the content share on a single file server (AD or Workgroup)

On a single file server, run the following commands at an elevated command prompt. Replace the value for <C:\WebSites> with the corresponding paths in your environment.

set WEBSITES_SHARE=WebSites
set WEBSITES_FOLDER=<C:\WebSites>

md %WEBSITES_FOLDER%

net share %WEBSITES_SHARE% /delete
net share %WEBSITES_SHARE%=%WEBSITES_FOLDER% /grant:Everyone,full

Provision the content share on a Failover cluster (Active Directory)

On the Failover cluster, create the following UNC clustered resources:

  1. WebSites

4. Add the FileShareOwners group to the local Administrators group to enable WinRM

In order for Windows Remote Management to work properly, you must add the FileShareOwners group to the local Administrators group.

Active Directory

Execute the following commands at an elevated command prompt on the File Server, or on every File Server Failover Cluster node. Replace the value for <DOMAIN> with the domain name you will use.

set DOMAIN=<DOMAIN>
net localgroup Administrators %DOMAIN%\FileShareOwners /add

Workgroup

Execute the following command at an elevated command prompt on the File Server.

net localgroup Administrators FileShareOwners /add

5. Configure access control to the shares

Execute the following commands at an elevated command prompt on the File Server or on the File Server Failover Cluster node which is the current cluster resource owner. Replace values in italics with values specific to your environment.

Active Directory

set DOMAIN=<DOMAIN>
set WEBSITES_FOLDER=<C:\WebSites>

icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

Workgroup

set WEBSITES_FOLDER=<C:\WebSites>

icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

See Also

Deploy Windows Azure Pack: Web Sites