Using Active Directory with IIS 7.0 webfarms by Steve Schofield(配置IIS 7.0 WebFarms)

 

This post is targeted at helping IIS Administrators understand how Active Directory can be used by IIS web-farms.  My goal is to help anyone looking to deploy IIS (in a web-farm scenario) and use Active Directory as a authentication store.  There are several moving parts related to a web-farm. 

  1. Content deployment
  2. Configuration management, including Shared Configuration   
  3. SSL certificates   
  4. Logging   
  5. FTP deployment using Active Directory.   
  6. Load-balancing (hardware and software)   
  7. Hardware selection for web-farms.  
  8. Virtual servers or physical machine. 

As you can see, it's easy to get confused and makes troubleshooting a web-farm more difficult than a stand-alone server.  For purposes of this post, we'll focus on Active Directory and web-farms.   Here is a introduction of the topics we'll be covering in this post.

Web-farms

  • What is a web-farm?
  • Why do I need a web farm?
  • How do I distribute traffic to all machines?
  • What is a Virtual IP address?
  • Diagram of a web-farm?

Active Directory

  • What is Active Directory?
  • Do I need Active Directory?
  • Diagram of Active Directory

Deployment of a test environment

  • Deploying Active Directory
  • Deploying member servers with IIS
  • Setup your machines. 
  • Setting up example1.com on Server1, Server2
  • Setup NLB (network load-balancing)
  • Create AD users and Groups
  • Create Remote Share on file server
  • Configure IIS to use a remote share.

Web-farms

What is a web-farm?  A web-farm is 2 or more machines hosting a single instance of a website.  Pretty simple huh?!  Yes, that is the definition of a web-farm.   Wikipedia has a reference to a Server Farm.  Web-farm or Server farm, they pretty much are the same thing, just worded differently.  Wikipedia's definition includes the term "cluster".  

In my opinion, a cluster provides failover of a single instance of something.  For example, if you have two machines hosting a single instance of a database.  The database instance only runs on a single server.  The other server participating in the cluster is idle.  I refer to two machines hosting a single instance as a Active / Passive Cluster.

Why do I need a web farm? - Running a single website on multiple machines has many benefits.  Probably the biggest reason is scalability followed by redundancy.  Scalability is used when you need your website to handle increasing workloads or peaks in traffic.  Another benefit provides for controlled change management in a production environment.  For instance, you have 2 machines in your web-farm and you want to update your website.  You can take Server1 out of rotation, update and test the code, then introduce back into rotation.  If you experience issues, you can reverse the code changes back to the original set of files.  While you have been testing your updates, the website has been running without interruption on Server2. Once you have worked out any issues, you can perform the same steps on Server2 while Server1 would be handle requests.

How do I distribute traffic to both machines?  You would use some form of load-balancing.  Microsoft provides a free version called Network Load-balancing.   There are also 3rd party load-balancers by Cisco, F5 and Foundry networks.   You could use DNS round-robin load-balancing.  You would setup two separate A records pointing to a single DNS name. (http://www.example.com)/  For example, Server1 ip address is 192.168.1.10 and Server 2 is 192.168.1.11.   You would have an A record example.com pointed to 192.168.1.10 (Server1) and another A record pointed to 192.168.1.11 (Server2).  When a person requests a record for www.example.com, one request would go to Server1, the second request would go to Server2.  The downside of using DNS load-balancing, if a server is not responding, in this example half of your requests would fail.

What is a Virtual IP address? A virtual ip address (VIP) is usually not connected to a specific server.  It's normally configured on a hardware load-balancer that distributes traffic.  If you are using Microsoft's NLB, it has the ability to distribute traffic to multiple machines while not being tied to a specific server.  Confused?!  For more information how Microsoft's NLB works, please review the documentation.  One clarification, if you were using DNS round-robin to distribute traffic, there would not be a need for a virtual IP address.

Web-farm Diagram

 

Active Directory

What is Active Directory? Active Directory is Microsoft's version of directory services.  Directory services provides a central database for authentication, print services, file share access and other features.  Here is the Wikipedia definition.  Active Directory provides LDAP (lightweight directory access protocol) services.   Active Directory uses DNS to help resolve the name of objects including servers, domain controllers.  For purposes of this article, we will not cover in-depth Active Directory rather show how it's used in a web-farm scenario.  For more information on Active Directory, we recommend checking out TechNet.

Do I need Active Directory for a web farm?  You technically do not need Active Directory to run a web-farm.  Each machine could be a stand-alone server and use the local SAM database for user accounts.  If you needed to do authentication between machines.  You need to create the same user account, password and grant the same permissions.  The strength of using Active Directory is the ability to have a central authentication resource.  For our purposes, we'll be using domain accounts for application pools, anonymous users.

Diagram of Active Directory

Here is an article that covers creating an AD forest used in this post

Deployment of a test environment

For purposes of this article, I'm going to use Virtual PC for showing how easy it is to setup an environment.  You could also use VMWare or Hyper-V for testing.  The host machine is running Windows Server 2008 enterprise x64 edition.  There is 4 GB of RAM and 250 GB IDE hard-drive.  (PS:my host machine doesn't support hyper-V)

Necessary software / Assumptions

  • Windows Server 2008 trial software (I'm using standard edition)
  • Virtual PC 2007
  • Your host box has enough resources to run 3 or 4 instances of Windows Server 2008

Setup your machines.

  • Download and install Virtual PC
  • Download ISO version of Windows Server 2008
  • Create a single instance of Windows Server 2008.  The first machine will be DC1
  • Create a second machine, this will be DC2.
  • Create a third machine, call it Server1 (Inside this VM, add additional Network Adapter)
  • Create a forth machine, call it Server2 (Inside this VM, add additional Network Adapter)

Create Websites on Server1, Server2

  • Create a website on both servers, point to c:/inetpub/wwwroot.  This will be changed later on to use a remote share.

Setup NLB (network load-balancing)

For our example, we setup Microsoft network load-balancing. 

  • Here is an article that covers this option

Create AD users and Groups

Log into your domain controller, create 3 items (an FTP user, anonymous user and Group)

  • Here is an article that covers AD groups

Create Remote Share on file server

This section covers setting up your file server and granting permissions to the AD group

  • Here is the article that covers how to Create the folder share

Configure IIS to use a remote share.

This section covers setting up IIS to use the remote share, setting the application pool to use the AD user.

  • Here is the article that covers how-to setup IIS 7.0

In-summary this article covers how to setup and configure an environment using Active Directory as the authentication store with web-farms.  Web-farms can help with scalability and redundancy.   Here is some additional resources I found while writing this blog.

  • Web Farm and Active Directory Authentication
  • IIS 7.0 web-farm forum
  • IIS 5.0 and 6.0 web farm forums
  • How to authenticate against the Active Directory by using forms authentication and Visual Basic .NET
  • FTP User isolation tool by Chris Crowe
  • Deploying and Managing Microsoft .NET Web Farms (Sams White Book) (Paperback)
  • IIS 7.0 Resource guide by MS Press(I'm co-author on this book!)
  • Chapter 16 - Configuring and Load-balancing web farms (Professional IIS 7.0 by Wrox)
  • Professional IIS 7 book by Wrox
  • How to Cheat at IIS 7 Server Administration
  • AD DS Installation and Removal Step-by-Step Guide
  • SMB registry commands
  • Learn.iis.net articles

I hope you find this article help.

Steve Schofield
Microsoft MVP - IIS

你可能感兴趣的:(server,Microsoft,Authentication,NetWork,IIS,Scalability)