This post is targeted at helping IIS Administrators understand how Active Directory can be used by IIS web-farms. My goal is to help anyone looking to deploy IIS (in a web-farm scenario) and use Active Directory as a authentication store. There are several moving parts related to a web-farm.
As you can see, it's easy to get confused and makes troubleshooting a web-farm more difficult than a stand-alone server. For purposes of this post, we'll focus on Active Directory and web-farms. Here is a introduction of the topics we'll be covering in this post.
Web-farms
Active Directory
Deployment of a test environment
Web-farms
What is a web-farm? A web-farm is 2 or more machines hosting a single instance of a website. Pretty simple huh?! Yes, that is the definition of a web-farm. Wikipedia has a reference to a Server Farm. Web-farm or Server farm, they pretty much are the same thing, just worded differently. Wikipedia's definition includes the term "cluster".
In my opinion, a cluster provides failover of a single instance of something. For example, if you have two machines hosting a single instance of a database. The database instance only runs on a single server. The other server participating in the cluster is idle. I refer to two machines hosting a single instance as a Active / Passive Cluster.
Why do I need a web farm? - Running a single website on multiple machines has many benefits. Probably the biggest reason is scalability followed by redundancy. Scalability is used when you need your website to handle increasing workloads or peaks in traffic. Another benefit provides for controlled change management in a production environment. For instance, you have 2 machines in your web-farm and you want to update your website. You can take Server1 out of rotation, update and test the code, then introduce back into rotation. If you experience issues, you can reverse the code changes back to the original set of files. While you have been testing your updates, the website has been running without interruption on Server2. Once you have worked out any issues, you can perform the same steps on Server2 while Server1 would be handle requests.
How do I distribute traffic to both machines? You would use some form of load-balancing. Microsoft provides a free version called Network Load-balancing. There are also 3rd party load-balancers by Cisco, F5 and Foundry networks. You could use DNS round-robin load-balancing. You would setup two separate A records pointing to a single DNS name. (http://www.example.com)/ For example, Server1 ip address is 192.168.1.10 and Server 2 is 192.168.1.11. You would have an A record example.com pointed to 192.168.1.10 (Server1) and another A record pointed to 192.168.1.11 (Server2). When a person requests a record for www.example.com, one request would go to Server1, the second request would go to Server2. The downside of using DNS load-balancing, if a server is not responding, in this example half of your requests would fail.
What is a Virtual IP address? A virtual ip address (VIP) is usually not connected to a specific server. It's normally configured on a hardware load-balancer that distributes traffic. If you are using Microsoft's NLB, it has the ability to distribute traffic to multiple machines while not being tied to a specific server. Confused?! For more information how Microsoft's NLB works, please review the documentation. One clarification, if you were using DNS round-robin to distribute traffic, there would not be a need for a virtual IP address.
Web-farm Diagram
Active Directory
What is Active Directory? Active Directory is Microsoft's version of directory services. Directory services provides a central database for authentication, print services, file share access and other features. Here is the Wikipedia definition. Active Directory provides LDAP (lightweight directory access protocol) services. Active Directory uses DNS to help resolve the name of objects including servers, domain controllers. For purposes of this article, we will not cover in-depth Active Directory rather show how it's used in a web-farm scenario. For more information on Active Directory, we recommend checking out TechNet.
Do I need Active Directory for a web farm? You technically do not need Active Directory to run a web-farm. Each machine could be a stand-alone server and use the local SAM database for user accounts. If you needed to do authentication between machines. You need to create the same user account, password and grant the same permissions. The strength of using Active Directory is the ability to have a central authentication resource. For our purposes, we'll be using domain accounts for application pools, anonymous users.
Diagram of Active Directory
Here is an article that covers creating an AD forest used in this post
Deployment of a test environment
For purposes of this article, I'm going to use Virtual PC for showing how easy it is to setup an environment. You could also use VMWare or Hyper-V for testing. The host machine is running Windows Server 2008 enterprise x64 edition. There is 4 GB of RAM and 250 GB IDE hard-drive. (PS:my host machine doesn't support hyper-V)
Necessary software / Assumptions
Setup your machines.
Create Websites on Server1, Server2
Setup NLB (network load-balancing)
For our example, we setup Microsoft network load-balancing.
Create AD users and Groups
Log into your domain controller, create 3 items (an FTP user, anonymous user and Group)
Create Remote Share on file server
This section covers setting up your file server and granting permissions to the AD group
Configure IIS to use a remote share.
This section covers setting up IIS to use the remote share, setting the application pool to use the AD user.
In-summary this article covers how to setup and configure an environment using Active Directory as the authentication store with web-farms. Web-farms can help with scalability and redundancy. Here is some additional resources I found while writing this blog.
I hope you find this article help.
Steve Schofield
Microsoft MVP - IIS