Pre-configure a Windows File Server Cluster or NAS device for Windows Azure Pack: Web Sites

Atualizada: Outubro de 2013

Aplica-se a: Windows Azure Pack for Windows Server

This chapter shows you how to configure your own File Server or File Server Cluster for use with Windows Azure Pack: Web Sites.

Background

If you choose the Standalone Windows File Server option during installation, file server preparation is not required and is automated for you. However, although the Standalone option is useful for "proof of concept" installations, a production environment usually requires a more robust solution such as a Windows File Server Cluster or third-party Network Attached Storage device (NAS). Windows Azure Pack: Web Sites uses does not depend on per-web site file share permissions, which enables it to work with heterogeneous file storage implementations such as NAS devices.

WarningAviso
Windows Azure Pack: Web Sites relies on File Server Resource Manager (FSRM), which does not support scale-out file servers.

Five Main Steps

Pre-configuring your own Windows File Server, Windows File Server Cluster, or third party NAS device involves the following five main steps. The implementation of these steps varies depending on whether you are working in an Active Directory domain or in a workgroup environment. Steps for both environments are presented.

noteNota
Although it is beyond the scope of this document to provide configuration instructions for third-party NAS devices, you should generally follow the procedures presented here, making adjustments as required by your non-Windows file cluster or NAS device.

1. Provision Groups and Accounts

2. Enable Windows Remote Management (WinRM)

3. Provision the Content Share and the Certificate Share

4. Add the FileShareOwners group to the local Administrators group to enable WinRM

5. Configure access control to the shares

   

  1. Create the following Active Directory global security groups:

    1. FileShareOwners

    2. FileShareUsers

    3. CertStoreFSUsers

  2. Create the following Active Directory accounts as service accounts. The accounts to create are

    1. FileShareOwner

    2. FileShareUser

    3. CentralCertStoreUser (When the standalone file server option is used, this account is called CertificateShareUser).

      noteNota
      As a security best practice, the users for these accounts (and for all Web Roles) should be distinct from each other and have strong user names and passwords. For more information, see Windows Azure Pack: Web Sites Security Enhancements.

      The FileShareOwner, FileShareUser, and CentralCertStoreUser passwords must be set with the following conditions:

      • Enable Password never expires

      • Enable User cannot change password

      • Disable User must change password at next logon

  3. Add the accounts to the group memberships as follows:

    1. Add FileShareOwner to the FileShareOwners group

    2. Add FileShareUser to the FileShareUsers group

    3. Add CentralCertStoreUser to the CertStoreFSUsers group

On a workgroup, run net and WMIC commands to provision groups and accounts.

  1. Run the following commands to create the FileShareOwner, FileShareUser, and CentralCertStoreUser accounts. Replace <password> with your own values.

    net user FileShareOwner <password> /add /expires:never /passwordchg:no
    net user FileShareUser <password> /add /expires:never /passwordchg:no
    net user CentralCertStoreUser <password> /add /expires:never /passwordchg:no
    
  2. Set the passwords for the accounts just created to never expire by running the following WMIC commands:

    WMIC USERACCOUNT WHERE "Name='FileShareOwner'" SET PasswordExpires=FALSE
    WMIC USERACCOUNT WHERE "Name='FileShareUser'" SET PasswordExpires=FALSE
    WMIC USERACCOUNT WHERE "Name='CentralCertStoreUser'" SET PasswordExpires=FALSE
    
  3. Create the local groups CertStoreFSUsers, FileShareUsers and FileShareOwners, and add the accounts in the first step to them.

    net localgroup CertStoreFSUsers /add
    net localgroup CertStoreFSUsers CentralCertStoreUser /add
    net localgroup FileShareUsers /add
    net localgroup FileShareUsers FileShareUser /add
    net localgroup FileShareOwners /add
    net localgroup FileShareOwners FileShareOwner /add
    

On the File Server role, or on each node of the Windows File Server Cluster if you are using a cluster, run the following commands at an elevated command prompt to configure WinRM:

powershell.exe Enable-PSRemoting –Force
winrm.cmd set winrm/config/winrs @{MaxConcurrentUsers="10";MaxShellsPerUser="50";MaxProcessesPerShell="5000";IdleTimeout="10000"}

netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new remoteip=any

%windir%\system32\dism.exe /online /enable-feature /featurename:FSRM-Infrastructure /all

WarningAviso
Do not run the above commands from a batch file. If you do so, the batch file will exit prematurely after the winrm.cmd script completes.

If you are not installing on Server Core for Windows Server, you can optionally enable the user interface for the File Server Resource Manager (FSRM).

noteNota
The FSRM user interface is not required. It cannot be installed on Server Core for Windows.

To enable the FSRM user interface, run the following command at an elevated command prompt:

%windir%\system32\dism.exe /online /enable-feature /featurename:FSRM-Management /all

The Content Share contains tenant web site content, whereas the Certificate Share contains custom tenant certificates.

The procedure to provision the content share and the certificate share on a single file server is the same for both Active Directory and Workgroup environments, but different for a Failover cluster in Active Directory.

On a single file server, run the following commands at an elevated command prompt. Replace the values for <C:\WebSites> and <C:\Certificates> with the corresponding paths in your environment.

set WEBSITES_SHARE=WebSites
set CERTIFICATES_SHARE=Certificates
set WEBSITES_FOLDER=<C:\WebSites>
set CERTIFICATES_FOLDER=<C:\Certificates>
 
md %WEBSITES_FOLDER%
md %CERTIFICATES_FOLDER%
 
net share %WEBSITES_SHARE% /delete
net share %WEBSITES_SHARE%=%WEBSITES_FOLDER% /grant:Everyone,full
 
net share %CERTIFICATES_SHARE% /delete
net share %CERTIFICATES_SHARE%=%CERTIFICATES_FOLDER% /grant:Everyone,full

On the Failover cluster, create the following UNC clustered resources:

  1. WebSites

  2. Certificates

In order for Windows Remote Management to work properly, you must add the FileShareOwners group to the local Administrators group.

Execute the following commands at an elevated command prompt on the File Server, or on every File Server Failover Cluster node. Replace the value for <DOMAIN> with the domain name you will use.

set DOMAIN=<DOMAIN>
net localgroup Administrators %DOMAIN%\FileShareOwners /add

Execute the following command at an elevated command prompt on the File Server.

net localgroup Administrators FileShareOwners /add

Execute the following commands at an elevated command prompt on the File Server or on the File Server Failover Cluster node which is the current cluster resource owner. Replace values in italics with values specific to your environment.

set DOMAIN=<DOMAIN>
set WEBSITES_FOLDER=<C:\WebSites>
set CERTIFICATES_FOLDER=<C:\Certificates>
 
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)
 
icacls %CERTIFICATES_FOLDER% /reset
icacls %CERTIFICATES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(F)
icacls %CERTIFICATES_FOLDER% /inheritance:r
icacls %CERTIFICATES_FOLDER% /grant %DOMAIN%\CertStoreFSUsers:(OI)(CI)(RX)

set WEBSITES_FOLDER=<C:\WebSites>
set CERTIFICATES_FOLDER=<C:\Certificates>
 
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)
 
icacls %CERTIFICATES_FOLDER% /reset
icacls %CERTIFICATES_FOLDER% /grant FileShareOwners:(OI)(CI)(F)
icacls %CERTIFICATES_FOLDER% /inheritance:r
icacls %CERTIFICATES_FOLDER% /grant CertStoreFSUsers:(OI)(CI)(RX)

Consulte Também

 
Mostrar: