Updated Checklist to set up a new server

As you'll see below, I set up some very limited access user accounts and there are a few extra steps because of this.

  1. rename all standard user accounts such as “Administrator”; and make sure “Guest” account is disabled
    1. Create ComputerUser account and make member of Admins. Log in with this user and customize:
      1. Desktop Properties Appearance Color Scheme & Advanced Desktop Color (so I can tell which machine I'm on when in Remote Desktop - each server gets a unique color scheme).
      2. Set Start Menu and Taskbar properties the same as my other servers.
        1. Turn off language bar and advanced text settings
  2. OPTIONAL - change Remote Desktop Connection port (see http://support.microsoft.com/kb/306759 -- ONLY takes effect after a REBOOT!)
  3. set up Windows firewall on new server. Add exceptions for:
    1. RDC (custom port, if used)
    2. FTP
    3. HTTP
  4. create a special very limited Windows account for FTP use. Not a member of any groups.
  5. get FTP working on new server
    1. Control Panel > Add/Remove Windows Components > Application Server > Details > IIS > Details > FTP
    2. set up logging and upload folders for FTP & set permissions for ftp user account
    3. Deny access except to specified IP addresses/computers
    4. Don't allow anonymous access? Or do allow anonymous only from my IP address?
  6. create folder structure on new server. Here are some examples I use on a system with three drives:
    1. D:\InetPub\Subtext
    2. D:\SQLData\Subtext
    3. E:\SQLLogs\Subtext
    4. E:\Logs\WebLogs\websitename.com
    5. E:\Settings\IIS (for config files, etc.)
    6. Etc.
  7. install NTFS Link
  8. add Windows user account for LimitedWebAccount and make it a member of IIS_WPG (but not Users) on web server
  9. add read permissions for LimitedWebAccount account to:
    1. C:\WINDOWS\Temp (and maybe C:\temp) for LimitedWebAccount account
    2. Logging folders? Is this required???
    3. Website folders
  10. add write permissions for LimitedWebAccount account to:
    1. upload folders of blogs
    2. ?
  11. install MS SQL
    1. add security login for LimitedWebAccount to MSSQL
  12. Add custom trust policy as per http://blog.davestechshop.net/archive/2006/11/12/CustomTrustLevelForCommunityServer.aspx or http://blog-howto.com/archive/2006/09/24/CustomizingTrustLevelPolicy.aspx
    1. Note that the Feed Reader in Community Server will not work unless trust is set to Full.
  13. create config files for IIS web sites and app pools on existing server
    1. IISConfig.xml
    2. IisAppPools.xml
  14. edit IIS config files:
    1. change server name (H128223 to VS512001-08, for example)
    2. change logging folder (E:\Logs\WebLogs to C:\Logs\Websites, for example)
    3. Change ServerBindings IP address (208.112.91.107 to 172.16.100.202, for example)
    4. Change website root folder (D:\InetPub\ to C:\Inetpub\wwwroot, for example)
  15. On new server add custom app pools in IIS (use config file)
    1. set app pool Identity to LimitedWebAccount account & set password
  16. add web sites from config file (after checking edits for new server)
    1. update passwords if required
  17. copy website applications (CommunityServer, DNN, Subtext, etc.)
    1. zip up all stuff on existing server
    2. FTP it to new server
    3. unzip on new server
  18. use NTFS Link and set up junctions for Community Server as per http://blog.davestechshop.net/archive/2006/10/22/CommunityServerMultipleCommunities.aspx
  19. edit web.config files for db connection string
    1. Community Server (FitEyes.com) – change DbConnection String Data Source only: 2 places
    2. Subtext – change DbConnection string Server only: 1 place.
    3. Don’t forget to modify for Sql Express if required (Server=VS512001-08\SQLEXPRESS;)
  20. create database backups on existing server
  21. restore databases to new server
    1. using Options tab, change data and log file locations (“restore as”) as appropriate
    2. Add new user and remove old user (which will differ by server name)
    3. Subtext does not require any permissions for the LimitedWebAccount user.
    4. CommunityServer requires all asp_ permissions plus db_datareader and db_datawriter.
  22. Change DNS records
    1. Log into DynDns.org > My Services > “Custom DNS” for selected domain > Host record (click domain name) > enter new IP address
    2. test website
      1. If Subtext gives “Service Unavailable”, check log files in C:\WINDOWS\system32\LogFiles\HTTPERR for something like ”HTTP/1.1 GET /Default.aspx 503 1361756356 AppOffline Subtext-NoRecycle”.
      2. Look in EventLogs for errors like those shown below. These are all because of improper password in Identity for AppPool.
  23. Copy weblogs over from old server
  24. Set up backup jobs on new server
  25. Set up offsite backup (FTP transfer)
 
Events associated with App Pool Identity Problems:
 
Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                6/13/2007
Time:                7:31:15 PM
User:                NT AUTHORITY\SYSTEM
Computer:        VS512001-08
Description:
Logon Failure:

            Reason:                        Unknown user name or bad password
            User Name:      WebSiteUser

            Domain:                        VS512001-08

            Logon Type:     4
            Logon Process: Advapi 
            Authentication Package:            Negotiate
            Workstation Name:      VS512001-08
            Caller User Name:        VS512001-08$
            Caller Domain: FUSIONAPPS
            Caller Logon ID:           (0x0,0x3E7)
            Caller Process ID:        2064
            Transited Services:        -
            Source Network Address:        -

            Source Port:     -
 
Event Type:      Error
Event Source:   W3SVC
Event Category:            None
Event ID:          1059
Date:                6/13/2007
Time:                7:34:27 PM
User:                N/A
Computer:        VS512001-08
Description:

A failure was encountered while launching the process serving application pool 'Subtext-NoRecycle'. The application pool has been disabled.

 
Event Type:      Warning
Event Source:   W3SVC
Event Category:            None
Event ID:          1057
Date:                6/13/2007
Time:                7:34:27 PM
User:                N/A
Computer:        VS512001-08
Description:

The identity of application pool 'Subtext-NoRecycle' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.