This article was previously published under Q191138
This article has been archived. It is offered "as is" and will no longer be updated.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
This article describes how to install the Windows NT Option Pack (NTOP) ona Microsoft Cluster Server (MSCS) computer to allow fail-over of the WWW and FTPservices.
If the Dtcsetup.exe file in Windows NT Service Pack 4, SQL Server 6.5a, orSQL Server 7.0 has been installed on the Cluster Server computer, pleaseread the following Microsoft Knowledge Base article before running theinstallation of the NTOP on the Cluster Server computer. Failure to do sowill result in numerous errors during the install on Node B and failure ofthe IIS, MTS, and MSDTC to function on Node B.For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
223258 How to install the Windows NT Option Pack on MSCS 1.0 with SQL Server 6.5 or 7.0
223258 How toInstall the Windows NT Option Pack on MSCS 1.0 with SQL Server 6.5 or7.0
Before you begin the installation of the Windows NT Option Pack (NTOP),you must create a cluster resource group that contains a physical disk, IPaddress, and Network Name resource. After you create the resourcegroup, move the resource group to Node A. This is required for theinstallation of Microsoft Transaction Server.
We only support running MSDTC on cluster nodes as a clustered resource. We do not recommend and do not support running MSDTC in stand-alone mode on a cluster. Using MSDTC as a non-clustered resource on an MSCS cluster is a problematic configuration because transactions could be orphaned. This behavior causes data corruption in the event of a cluster failover.
Note Windows NT must reside in the same location on both Node A and NodeB. For example, if you install Windows NT to C:\Winnt on Node A, then youneed to have Windows NT installed to C:\Winnt on Node B as well. If theWindows NT %SystemRoot% folder is not identical on both Node A and Node B,you will not be able to perform fail-over of IIS.
Installation sequence for multiple nodes
Move all cluster resource groups to Node A.
Start the Windows NT Option Pack installation on Node A. On the"Microsoft Internet Information Server" setup screen, accept the defaultlocation for the WWW, FTP, and the Application Installation Pointsettings. During the installation of Transaction Server, on the "MicrosoftTransaction Server 2.0" screen, the Windows NT Option Pack Setup programattempts to locate the MSDTC transaction log on a cluster disk resource inany resource groups currently owned by that node.
Note If SQL Server 6.5 is not installed on the Cluster Server computer, accept the default location for the MSDTC Virtual Server and Log file location. If SQL Server 6.5 is installed on the Cluster Server computer, then theMSDTC Resource should reside in the resource group that SQL Server iscurrently in. When you are prompted for the resource group to install theMSDTC log to and the location for the MSDTC log file, if SQL Server 6.5 isinstalled, choose the SQL Server Resource Group Network Name you havecreated from the drop-down list and place the MSDTC Log directory on thedisk resource that belongs to that SQL Resource Group. (For example, ifyour SQL Server Resource Group Network Name is called "SQLGroup" and thedisk resource assigned to that group is assigned drive letter S:, youwould specify "SQLGroup" in the virtual server drop-down list, andS:\MSDTCLog as the path to the MSDTC Log directory.)
DO NOT INSTALL ANYTHING INTO THE DEFAULT CLUSTER GROUP.
At the end of the Windows NT Option Pack installation, a dialog boxis displayed that instructs you to start the installation on Node B and toclick OK when that setup is complete. Leave this dialog box on thescreen and start the Windows NT Option Pack installation on Node B.
Note Do not move the resource group from Node A to Node B. Leave theresource group on Node A.
Start the Windows NT Option Pack installation on Node B. On the"Microsoft Internet Information Server" setup screen, accept the defaultlocation for the WWW, FTP, and the Application Installation Pointsettings. This installation does not prompt for the transaction loglocation. When this installation is complete, restart Node B.
If Windows NT Service Pack 4 is installed on Node B, thecluster service will not start after the NTOP is installed and thecomputer is restarted. This is a known issue. Please see the following Knowledge Base article for details:
218922 Installing NTOP on Cluster Server with SP4 causes Event IDs 1009 and 1058
You must re-apply SP4 on Node B and restart the computer againbefore the Microsoft Cluster Server Service will start.
After Node B has completely restarted, return to Node A and clickOK. When prompted to restart Node A, choose Yes.
If Windows NT Service Pack 4 is installed on Node A, then theCluster Server service will not start after the NTOP is installed and thecomputer is restarted. This is a known issue. Please see Q218922 for details. You must re-apply SP4 on NodeA and restart the computer again before the Microsoft Cluster Server Service willstart.
After the computers have restarted, the Web or FTP fail-over sitesneed to be created. Internet Information Server (IIS) virtual servers in this configuration require a resource group with an IP address at minimum, though it is recommended that you also have a drive resource to identify file location.
DO NOT USE THE DEFAULT CLUSTER GROUP.
Move the target cluster resource to Node A.
In the Microsoft Management Console (MMC) on Node A, expand the Internet Information Server tree, right-click on the computer name, and choose to create a new Web (or FTP) server.
In the properties for this new site, set the IP address to the IP addresses in the resource group that this resource will fail over in.
Select the directory, Universal Naming Convention (UNC) connection,or redirection that the site should use as the home directory. Ifselecting a drive, it should be a drive in the resource group that theIP address is in.
Repeat Steps 10 through 12 for each WWW of FTP site you want toprovide fail-over capabilities to.
Synchronize the IIS user accounts
An anonymous account (IUSR_CLUSTER) and a Windows Access Method account (IWAM_CLUSTER) need to be created as domain accounts on the domain that these computers are members of. These accounts need "logon locally" and "access this computer from the network" user rights on both nodes of the cluster. It is recommended that these accounts also be set to "cannot change their password" and "password never expires." Add both accounts to the Guests Local Group on both Nodes as well. Add both accounts to Dcom Default Access group with Allow Access Permission and the Dcom Default Launch Group with Allow Launch Permission. Add the IWAM_CLUSTER account to the MTS Trusted Impersonators (or may be named MTS Impersonators) Local Group on each Node.
After these two accounts have been created, go into the MMC for IIS 4.0 and set the IUSR_CLUSTER account as the anonymous account.
In the MMC, expand the Internet Information Server tree, and then right-click the entry for the computer name.
Select Properties. On the Internet Information Server tab, select WWW Service in the Master Properties drop-down list.
Select Edit, and then click the Directory Security tab. Select the top edit button associated with Anonymous Access and Authentication Control.
In the Authentication Methods dialog box, select the edit button to the right of the Account used for Anonymous access. This dialog box allows you to select the anonymous user domain account that you created (IUSR_CLUSTER account).
Select the IUSR_CLUSTER account, and then click OK until you are back to the MMC main screen.
Note If the cluster server you are on is not a domain controller, youcannot use "Enable Automatic Password Synchronization." You need tomanually input the password for the IUSR_CLUSTER account.
Repeat these steps for the FTP service "Master Properties." In this case, click the Security Accounts tab, and then set the anonymous user account to the IUSR_CLUSTER account.
Click the Apply button to save your changes, and then click OK until you return to the MMC main screen.
Set the IWAM account information
The IWAM_CLUSTER account only needs to be set if you are using the WWWservice.
Note To set the IWAM account, make sure you have installed WindowsScript Host from the Windows NT Option Pack. If the Script Host isnot installed, you can install it by running Add/Remove Programs fromControl Panel, and then choosing Windows NT 4.0 Option Pack.
Start a command prompt, and then go to the following folder:
Type the following command, and then press ENTER:
adsutil enum w3svc
If this is the first time you have run this script, or if your script interpreter is set to wscript, you will be prompted to associate this script with cscript. Click OK to associate the script with cscript and run the command again.
The correct output from this command should be the contents of the IIS 4.0 computer's metabase scrolling past in the command prompt window. If this is working properly, you must set the IWAM account information into the metabase. To do so, type the following:
adsutil set W3SVC/WAMUserName domain_name\IWAM_CLUSTER
where domain_name is the name of the domain that the user account IWAM_CLUSTER exists in. This sets the account to use the correct domain in order to authenticate the account.
Type the following:
adsutil set W3SVC/WAMUserPass IWAM_Password
where IWAM_Password is the password for the IWAM_CLUSTER account as created earlier. This should correctly set this account for use by IIS 4.0.
Note that the IUSR_CLUSTER account is only used for anonymous access,and the IWAM_CLUSTER account is only used by the WWW service. If youare interested only in FTP usage, or do not need anonymous access, you donot need to make either of these changes in the metabase.
Create and configure the new server instance
To create a new server instance, use the Cluster Server Administrator to create a new IIS server instance. This instance should depend on the IP address resource and disk resource.
Note An IIS server instance can not be created using a Remote ClusterAdministrator. You have to be on the cluster server to create the IISserver instance.
One of the last steps in the creation of the IIS server instance is to determine whether this is a Web site or an FTP site and to select the site. Be sure to select the Web site created for this resource group.
NOTE: If your FTP or Web site does not appear in the list, close theCluster Administrator, and then reopen the Cluster Administrator.
After the IIS virtual server instance has been created, it will be displayed as offline. Right-click the resource in Cluster Server Administrator and set it to online.
Configuring MTS and IIS for replication
Open the Internet Service Manager.
Double-click the Microsoft Transaction Server.
Double-click the Computers folder.
Right-click My Computer, and then click Properties.
Click the Option tab.
In the Replication Windows, complete the two entries as follows:
Replication Share = any available share on the other cluster node where the Administrator has full rights to the share. (You can use the c$ share, for example.)
Remote Server Name = the name of the other cluster node.
Click Apply, and then click OK.
Repeat steps 1 through 7 on the second node.
Warning The MTS replication must be configured on both Nodes A and Bbefore you run the IISSYNC utility or irreparable damage could be done toyour IIS installation, requiring a complete uninstall and reinstall of IIS.
At a command prompt on Node A, go to the System32\Inetsrv folder and type the following command:
where nodeb is the actual computer name of Node B. This duplicates the metabase information and MTS related packages from Node A to Node B, so that the clustered Web sites can be moved between computers.
After this last step has been performed, you should be able to successfully move the IIS resource groups between nodes.
For more information, please see the following Web page: