Pre-configure a Windows File Server Cluster or NAS device for Windows Azure Pack: Web Sites
Updated: August 11, 2015
Applies To: Windows Azure Pack
This chapter shows you how to configure your own File Server or File Server Cluster for use with Windows Azure Pack: Web Sites.
Background
If you choose the Standalone Windows File Server option during installation, file server preparation is not required and is automated for you. However, although the Standalone option is useful for "proof of concept" installations, a production environment usually requires a more robust solution such as a Windows File Server Cluster or third-party Network Attached Storage device (NAS). Windows Azure Pack: Web Sites uses does not depend on per-web site file share permissions, which enables it to work with heterogeneous file storage implementations such as NAS devices.
Warning
Windows Azure Pack: Web Sites relies on File Server Resource Manager (FSRM), which does not support scale-out file servers.
Note
As of Update Release 6, Windows Azure Pack: Web Sites no longer requires a Certificate Share and associated users. You will not be required to provide them in new installations. In upgraded installations the credentials and share remain but will not be used.
Five Main Steps
Pre-configuring your own Windows File Server, Windows File Server Cluster, or third party NAS device involves the following five main steps. The implementation of these steps varies depending on whether you are working in an Active Directory domain or in a workgroup environment. Steps for both environments are presented.
Note
Although it is beyond the scope of this document to provide configuration instructions for third-party NAS devices, you should generally follow the procedures presented here, making adjustments as required by your non-Windows file cluster or NAS device.
1. Provision Groups and Accounts
2. Enable Windows Remote Management (WinRM)
3. Provision the Content Share
4. Add the FileShareOwners group to the local Administrators group to enable WinRM
5. Configure access control to the shares
1. Provision Groups and Accounts
Provision Groups and Accounts in Active Directory
Create the following Active Directory global security groups:
FileShareOwners
FileShareUsers
Create the following Active Directory accounts as service accounts. The accounts to create are
FileShareOwner
FileShareUser
Note
As a security best practice, the users for these accounts (and for all Web Roles) should be distinct from each other and have strong user names and passwords. For more information, see Windows Azure Pack: Web Sites Security Enhancements.
The FileShareOwner and FileShareUser passwords must be set with the following conditions:
Enable Password never expires
Enable User cannot change password
Disable User must change password at next logon
Add the accounts to the group memberships as follows:
Add FileShareOwner to the FileShareOwners group
Add FileShareUser to the FileShareUsers group
Provision Groups and Accounts in a Workgroup
On a workgroup, run net and WMIC commands to provision groups and accounts.
Run the following commands to create the FileShareOwner and FileShareUser accounts. Replace <password> with your own values.
net user FileShareOwner <password> /add /expires:never /passwordchg:no net user FileShareUser <password> /add /expires:never /passwordchg:noSet the passwords for the accounts just created to never expire by running the following WMIC commands:
WMIC USERACCOUNT WHERE "Name='FileShareOwner'" SET PasswordExpires=FALSE WMIC USERACCOUNT WHERE "Name='FileShareUser'" SET PasswordExpires=FALSECreate the local groups FileShareUsers and FileShareOwners, and add the accounts in the first step to them.
net localgroup FileShareUsers /add net localgroup FileShareUsers FileShareUser /add net localgroup FileShareOwners /add net localgroup FileShareOwners FileShareOwner /add
2. Enable Windows Remote Management (WinRM)
On the File Server role, or on each node of the Windows File Server Cluster if you are using a cluster, run the following commands at an elevated command prompt to configure WinRM:
powershell.exe Enable-PSRemoting –Force
winrm.cmd set winrm/config/winrs @{MaxConcurrentUsers="10";MaxShellsPerUser="50";MaxProcessesPerShell="5000";IdleTimeout="10000"}
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new remoteip=any
%windir%\system32\dism.exe /online /enable-feature /featurename:FSRM-Infrastructure /all
Warning
Do not run the above commands from a batch file. If you do so, the batch file will exit prematurely after the winrm.cmd script completes.
Optionally enable the File Server Resource Manager (FSRM) user interface on non-server core Windows
If you are not installing on Server Core for Windows Server, you can optionally enable the user interface for the File Server Resource Manager (FSRM).
Note
The FSRM user interface is not required. It cannot be installed on Server Core for Windows.
To enable the FSRM user interface, run the following command at an elevated command prompt:
%windir%\system32\dism.exe /online /enable-feature /featurename:FSRM-Management /all
3. Provision the Content Share
The Content Share contains tenant web site content.
The procedure to provision the content share on a single file server is the same for both Active Directory and Workgroup environments, but different for a Failover cluster in Active Directory.
Provision the content share on a single file server (AD or Workgroup)
On a single file server, run the following commands at an elevated command prompt. Replace the value for <C:\WebSites> with the corresponding paths in your environment.
set WEBSITES_SHARE=WebSites
set WEBSITES_FOLDER=<C:\WebSites>
md %WEBSITES_FOLDER%
net share %WEBSITES_SHARE% /delete
net share %WEBSITES_SHARE%=%WEBSITES_FOLDER% /grant:Everyone,full
Provision the content share on a Failover cluster (Active Directory)
On the Failover cluster, create the following UNC clustered resources:
- WebSites
4. Add the FileShareOwners group to the local Administrators group to enable WinRM
In order for Windows Remote Management to work properly, you must add the FileShareOwners group to the local Administrators group.
Active Directory
Execute the following commands at an elevated command prompt on the File Server, or on every File Server Failover Cluster node. Replace the value for <DOMAIN> with the domain name you will use.
set DOMAIN=<DOMAIN>
net localgroup Administrators %DOMAIN%\FileShareOwners /add
Workgroup
Execute the following command at an elevated command prompt on the File Server.
net localgroup Administrators FileShareOwners /add
5. Configure access control to the shares
Execute the following commands at an elevated command prompt on the File Server or on the File Server Failover Cluster node which is the current cluster resource owner. Replace values in italics with values specific to your environment.
Active Directory
set DOMAIN=<DOMAIN>
set WEBSITES_FOLDER=<C:\WebSites>
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)
Workgroup
set WEBSITES_FOLDER=<C:\WebSites>
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)