Jump to content
RESET Forums (homeservershow.com)

IIS Dont's


Guest techyguyni
 Share

Recommended Posts

Guest techyguyni

I ve just read that microsoft dont recommend running IIS on a domain controller but yet it comes enabled and running on server essentials when you first install, and yet to remove it takes aw3ay servicesw that essentials needs to be essentials???? am i missing somthing here?

Edited by techyguyni
Link to comment
Share on other sites

Guest techyguyni

ahh ok interesting, how dose the hyper v work in regards to the terms of use, am i able to run server standard in essentials within a hyper v enviroment

Edited by techyguyni
Link to comment
Share on other sites

Legally, you can't - although I think it will actually work. The only VM you are licensed to run on the Hyper-V environment within 2012E R2 is another copy of 2012E R2.

 

The point about IIS on a DC is an interesting one, but the reasons for not doing it are not really what you think they are. IIS is a web server and the assumption is that if you are setting up a web server then at some point people will want to connect to it. Having (potentially) external users connecting directly to and hence having access a domain controller is such a massive security issue that it doesn't bare thinking about. There is nothing actually wrong with having IIS on a DC in fact for Essentials, you have to, it's more a case of what are you going to do with IIS once it's set up and who will be accessing it?

 

The thing to always keep in mind when dealing with Microsoft products (and especially active directory and Windows networking) is that it is the same model everywhere. And this is both a good thing and a bad thing, good because AD works exactly the same everywhere, if the NSA happen to run an active directory system, then the underlaying security on that is absolutely identical to the security on your home network server, no more, no less. AD is massively complex, if you want to use the features, and you do actually have all the same security and management features in your home setup as there are in the largest and most secure global enterprise - you probably just don't use them all! And it's a bad thing for exactly the same reason, you have all of this complexity hiding behind the scenes, and if you are not too sure of what you are doing then there is an awful lot of ways you can really screw it up. 

 

I think it is this that made people (and still does to some extent), very reluctant to move from WHS 2011 to Essentials - 'I don't want the hassle of dealing with a domain - it's too complex', which is true to some extent and take a look through this forums and there are no end of topics on skipping domain join - many of which involve a bit of jumping through hoops and have a habit of ending in tears when a change or update breaks what you have setup just to prevent Windows from doing what it really, really wants to do and the way MS designed it to do. There are also quite a few posts from users who want to backup their (company) domain joined laptops on their home domain and find that they can't. Personally I'd be astonished if MS ever, ever release a patch to enable that. In fact I'll stick my head out and say that it'll never happen - why, because doing so will massively change and weaken the entire domain security model on which all of MS networking is based. Unless they are prepared to invest time in producing a cut-down, less secure version of AD just for home users, then I'm sorry but it is just not going to happen.

 

Anyway I've managed to go off on a tangent here, MS articles and advice always tend to be 'best-practice'. Yes you shouldn't run IIS on a DC for security (and also performance reasons if the web server gets a lot of traffic), so it's best (but not absolutely essential) to have it on it's own server. Except you can't easily with Essentials as various components need it - Essentials expects to be the only server and sets itself up accordingly. Theoretically you could move the IIS features to another server but doing so will break many of the Essentials components (certificate services won't be happy for a start) and you'll need to manually reconfigure and reset (on a very low level) many settings.

 

So best practice would be something like at least two domain controllers (physical or virtual), you'll need a certificate server for the internal domain, ideally two just in case, which can run on a DC with no issues. Certificate server needs IIS for cert distribution so they need to be on separate servers isolated from the DCs using firewalls (need to keep unwanted traffic away from the DCs), then you need to access the network from outside, that'll require a cluster of additional front-end IIS servers, again separated off and talking back to the rest of the network using only specific ports and so or and so on.

 

It's a big nonsense really, but that is exactly how it should be done and exactly how large organisations do work, and this is how Microsoft recommend that networks are setup, because these best practices are exactly that. If you can setup a system in such a way then do so for maximum performance and reliability, but you don't actually have to and indeed in a home or small-business environment you can't get anywhere near this level. Yes you should have multiple servers doing different things, but it does actually work with one as long as you are aware of the limitations and consequences.

 

John 

 

 

- MS articles tend to assume that you are running a multi-server environment with features split between different machine. And this is both a good thing and a bad thing

Link to comment
Share on other sites

Guest techyguyni

hi jem101

 

at last a good artical (reply), ok thats expained it in a way i understand and here comes the silly question....am i add a 2012 standard addition onto my network with only the iis role, iam gathering no, so am i able to add a windows 7 or 8 box onto my network to host my websites, ?

 

I would like to host my websites with iis but keep my essentails server in place, iam feeling i would need to replace essentails wit a standard eddition of server to do this, would i be correct?

 

thanks again for your reply.

 

 

paul 


Just to add, i cant understand what the point is in running server essentials and then installing  it again in a vm with hyper v? could you explain

Link to comment
Share on other sites

You can set up as many sites on the Essentials server as you wish, you will just need to bind them to another port.  Is it a good practice, NO, can it be done, yes.

Link to comment
Share on other sites

Like jmwills says, as long as you get the port bindings to the various sites sorted out then it's fine - is it potentially a security hazard, yes, is it a massive problem, probably not. Just make sure that you keep IIS patched and up to date and you should be fine.

 

Yes I know it does sound a bit odd but I believe that the logic behind the virtualisation rights for Essentials R2 was that it was never intended for home use, the idea was that OEMs could supply a physical machine running Essentials with the Hyper-V role enabled and that could all be pre-built and shipped (almost) ready to go. The customer gets the machine, fires it up, Hyper-V spins up the Essentials VM which itself is pre-installed and just needs to run the final wizards to configure it as the customer wants. It could all be done in a matter of a few hours from unboxing to having a fully functioning domain. And it still costs the same as a single Essentials license with no extra CALs needed.

 

Even so, I've sure you are thinking, it still does seem like a lot of extra work for no real gain, but now consider that after the company has had it for a while, they find they need a second server, some line of business application which can't (or shouldn't) be run on a DC. They could get a new physical box to run it on, or maybe, if they're smart, they just purchase a single licence for Server 2012 standard. You then use this license key to 'transmog' the copy of Essentials on the host to 2012 R2-it keeps the Hyper-V role, your VM of Essentials keeps running, you then use the virtualisation rights of 2012 to create another two VMs of 2012 on the existing physical hardware (which you now are fully entitled to do as it is no longer Essentials) and use one or both of them to install your LOB application on. You won't need CALs for the new host, but you will probably need them for the new VM depending on what you are doing with it, a remote desktop server would need RDS CALs etc.

 

As I said not really the sort of scenario a home user is likely to face but possibly not unreasonable for a small company.

 

John

Link to comment
Share on other sites

Argh, don't want to read!

 

 

The Essentials role uses and in fact REQUIRES IIS. It is HOW it communicates with clients. So it is necessary.

However, you can do a lot to it without breaking, such as installing PHP, or setting up a reverse proxy (so you can host other web services over the same connection)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...