Using Active Directory with IIS 7.0 webfarms by Steve Schofield

This post is targeted at helping IIS Administrators understand how Active Directory can be used by IIS web-farms.  My goal is to help anyone looking to deploy IIS (in a web-farm scenario) and use Active Directory as a authentication store.  There are several moving parts related to a web-farm. 

  1. Content deployment
  2. Configuration management, including Shared Configuration   
  3. SSL certificates   
  4. Logging   
  5. FTP deployment using Active Directory.   
  6. Load-balancing (hardware and software)   
  7. Hardware selection for web-farms.  
  8. Virtual servers or physical machine. 

As you can see, it’s easy to get confused and makes troubleshooting a web-farm more difficult than a stand-alone server.  For purposes of this post, we’ll focus on Active Directory and web-farms.   Here is a introduction of the topics we’ll be covering in this post.

Web-farms

Active Directory

Deployment of a test environment

Web-farms

What is a web-farm?  A web-farm is 2 or more machines hosting a single instance of a website.  Pretty simple huh?!  Yes, that is the definition of a web-farm.   Wikipedia has a reference to a Server Farm.  Web-farm or Server farm, they pretty much are the same thing, just worded differently.  Wikipedia’s definition includes the term “cluster”.  

In my opinion, a cluster provides failover of a single instance of something.  For example, if you have two machines hosting a single instance of a database.  The database instance only runs on a single server.  The other server participating in the cluster is idle.  I refer to two machines hosting a single instance as a Active / Passive Cluster.

Why do I need a web farm? – Running a single website on multiple machines has many benefits.  Probably the biggest reason is scalability followed by redundancy.  Scalability is used when you need your website to handle increasing workloads or peaks in traffic.  Another benefit provides for controlled change management in a production environment.  For instance, you have 2 machines in your web-farm and you want to update your website.  You can take Server1 out of rotation, update and test the code, then introduce back into rotation.  If you experience issues, you can reverse the code changes back to the original set of files.  While you have been testing your updates, the website has been running without interruption on Server2. Once you have worked out any issues, you can perform the same steps on Server2 while Server1 would be handle requests.

How do I distribute traffic to both machines?  You would use some form of load-balancing.  Microsoft provides a free version called Network Load-balancing.   There are also 3rd party load-balancers by Cisco, F5 and Foundry networks.   You could use DNS round-robin load-balancing.  You would setup two separate A records pointing to a single DNS name. (http://www.example.com)/  For example, Server1 ip address is 192.168.1.10 and Server 2 is 192.168.1.11.   You would have an A record example.com pointed to 192.168.1.10 (Server1) and another A record pointed to 192.168.1.11 (Server2).  When a person requests a record for www.example.com, one request would go to Server1, the second request would go to Server2.  The downside of using DNS load-balancing, if a server is not responding, in this example half of your requests would fail.

What is a Virtual IP address? A virtual ip address (VIP) is usually not connected to a specific server.  It’s normally configured on a hardware load-balancer that distributes traffic.  If you are using Microsoft’s NLB, it has the ability to distribute traffic to multiple machines while not being tied to a specific server.  Confused?!  For more information how Microsoft’s NLB works, please review the documentation.  One clarification, if you were using DNS round-robin to distribute traffic, there would not be a need for a virtual IP address.

Web-farm Diagram

 

Active Directory

What is Active Directory? Active Directory is Microsoft’s version of directory services.  Directory services provides a central database for authentication, print services, file share access and other features.  Here is the Wikipedia definition.  Active Directory provides LDAP (lightweight directory access protocol) services.   Active Directory uses DNS to help resolve the name of objects including servers, domain controllers.  For purposes of this article, we will not cover in-depth Active Directory rather show how it’s used in a web-farm scenario.  For more information on Active Directory, we recommend checking out TechNet.

Do I need Active Directory for a web farm?  You technically do not need Active Directory to run a web-farm.  Each machine could be a stand-alone server and use the local SAM database for user accounts.  If you needed to do authentication between machines.  You need to create the same user account, password and grant the same permissions.  The strength of using Active Directory is the ability to have a central authentication resource.  For our purposes, we’ll be using domain accounts for application pools, anonymous users.

Diagram of Active Directory

Here is an Create AD article that covers creating an AD forest used in this post

Deployment of a test environment

For purposes of this article, I’m going to use Virtual PC for showing how easy it is to setup an environment.  You could also use VMWare or Hyper-V for testing.  The host machine is running Windows Server 2008 enterprise x64 edition.  There is 4 GB of RAM and 250 GB IDE hard-drive.  (PS:my host machine doesn’t support hyper-V)

Necessary software / Assumptions

Setup your machines.

Create Websites on Server1, Server2

Setup NLB (network load-balancing)

For our example, we setup Microsoft network load-balancing. 

Create AD users and Groups

Log into your domain controller, create 3 items (an FTP user, anonymous user and Group)

Create Remote Share on file server

This section covers setting up your file server and granting permissions to the AD group

Configure IIS to use a remote share.

This section covers setting up IIS to use the remote share, setting the application pool to use the AD user.

In-summary this article covers how to setup and configure an environment using Active Directory as the authentication store with web-farms.  Web-farms can help with scalability and redundancy.   Here is some additional resources I found while writing this blog.

I hope you find this article help.

Steve Schofield
Microsoft MVP – IIS