מאָך קליינע פאַרם ינסטאַללאַטיאָן און קאָנפיגוראַטיאָן מלחמה סטאָרי

דעם וואָך, I’ve struggled a bit with my team to get MOSS installed in a simple two-server farm. Having gone through it, איך האָבן אַ גרעסער אַפּרישייישאַן פֿאַר די מינים פון פּראָבלעמס מענטשן באַריכט אויף די מסדן גרופּעס און אנדערש.

די לעצט פאַרם קאַנפיגיעריישאַן:

  • סקל / אינדעקס / ינטראַנעט וופע ין דער פירעוואַלל.
  • וופע אין די דיעמזי.
  • Some kind of firewall between the DMZ and the internal server.

Before we started the project, we let the client know which ports needed to be open. During the give and take, back and forth over that, we never explicitly said two important things:

  1. SSL means you need a certificate.
  2. The DMZ server must be part of a domain.

טאָג איין, we showed up to install MOSS and learned that the domain accounts for database and MOSS hadn’t been created. To move things along, we went ahead and installed everything with a local account on the intranet server.

אין דעם פונט, מיר דיסקאַווערד דער צעמישונג איבער די ססל באַווייַזן און, סאַדלי, decided to have our infrastructure guy come back later that week to continue installing the DMZ server. אין דער מיינען צייַט, מיר לייזונג אַרקאַטעקץ אריבערגעפארן פאָרויס מיט די געשעפט שטאָפּן.

א אָפּרוטעג גייט דורך און דער קליענט באקומט די באַווייַזן.

אונדזער ינפראַסטראַקטשער באָכער ווייזט אַרויף און דיסקאַווערז אַז די דיעמזי סערווער איז נישט איינגעשריבן צו קיין פעלד (אָדער אַ פּערימעטער פעלד מיט לימיטעד צוטרוי אָדער די ינטראַנעט פעלד). We wasted nearly a 1/2 day on that. If we hadn’t let the missing SSL certificate bog us down, we would have discovered this earlier. Oh well….

אן אנדער טאָג פּאַסיז און די פארשידענע זיכערהייַט קאמיטעטן, אינטערעסירט פּאַרטיעס און (ניט אַזוי) אומשולדיק בייסטאַנדערז אַלע שטימען אַז עס ס 'גוט צו פאַרבינדן די דיעמזי סערווירער מיט די ינטראַנעט פעלד (דאָס איז אַ פּאָק, נאָך אַלע, נישט אַ פּראָדוקציע לייזונג).

Infrastructure guy comes in to wrap things up. This time we successfully pass through the the modern-day gauntlet affectionately known as the "SharePoint Configuration Wizard." We have a peek in central administration and … יי כאָ! … DMZ server is listed in the farm. We look a little closer and realize we broke open the Champaign a mite bit early. WSS services is stuck in a "starting" מאַצעוו.

לאנג געשיכטע קורץ, it turns out that we forgot to change the identity of the service account via central administration from the original local account to the new domain account. We did that, re-ran the configuration wizard and voila! We were in business.

</עק>

אַבאָנירן צו מיין בלאָג.

טעטשנאָראַטי טאַגס:

5 געדאנקען אויף "מאָך קליינע פאַרם ינסטאַללאַטיאָן און קאָנפיגוראַטיאָן מלחמה סטאָרי

  1. Cimares
    It’s perfectly ok to have your SQL in a different Vlan/subnet than your WFEs. In fact it’s recommended, after all as mentioned before, what Security expert is going to let you stick SQL in the dmz? The recommendation is that your SQL traffic does NOT use the same interface cards as the user traffic, however even this connection may pas through a firewall for additional protection.
    The restriction related to multiple WFEs in a farm environment relates to if you’re using Microsoft load balancing, then these must all be in the same VLan.
  2. פאולוס

    I can almost beat your SSL certificate issue. We had everything created and were ready to extend the web app with SSL (then redirect port 80 in IIS). The administrator had a .cer file ready to go. But NONE of the options or crazy contortions to apply it in IIS will work–the site always displays a blank page like the site collection doesn’t exist.

    After much banging of heads, we learned this was caused by the cert request not coming from that server. The administrator simply asked for a cert and was emailed the resulting key. With no private key, the SSL tunnel could not get built between the WFE and the browser. We wasted 1/2 day on that.

  3. Christian wrote:
    Very interesting! I highly doubt that it shouldn’t be supported to host the WFE’s in one VLAN/DMZ and APP/SQL in another VLAN/DMZ.
    The TechNet articles about supported Extranet scenarios doesn’t have any reservations, either – but TechNet could be incorrect 🙂 None of our clients would allow their SQL Servers to sit on the same VLAN/DMZ as the WFE, so I sincerely hope the MS got it wrong.
    Can you elaborate on what should be the problem with spitting the configuration? Performance reasons only? Or do they in fact mean that the WFE’s should be on the same VLAN/DMZ? That would make more sense to me.
    Sincerely,
    קריסטלעך
  4. פאולוס גאַלווין
    That’s a very good question.
    We are tracking very closely to the MS documentation, so I can’t imagine how they would refuse to support it. וואָס האט, I am not an infrastructure person, so it’s possible that I’m abusing terms in my post.
    As I understand it, the correct approach is to have (בייַ מינדסטער) two AD domains. One internal domain and one in the perimeter network. The perimeter network’s AD would have a "limited trust" relationship with the internal AD.
    But you probably already know all that 🙂
    דנאָ שורה, איך טאָן ניט וויסן. We did not receive or look directly to Microsoft for guidance on this one.
    –פאולוס ג
  5. Tom Dietz
    Is this configuration supported? At the SharePoint Conference in Seattle in March, I was chatting with some Microsoft Engineers and they said that supported configurations do not allow WFEs to cross VLANs or routers. I assume that since the WFE is in a DMZ, it is crossing some sort of firewall/router or is in its own VLAN.
    So basically the DB and WFE/App Servers all have to be on the same VLAN.
    They were really adamant about this–it’s actually a slide in the ‘Geographical’ deployment session if you have access to the deck.
    I’ve read TechNet articles that illustrate sample configurations that contradict their statements, but the MS guys basically said that TechNet is wrong.

לאָזן אַ ענטפֿערן

אייער בליצפּאָסט אַדרעס וועט ניט זיין ארויס. Required fields are marked *