Updated Checklist to set up a new server
As you'll see below, I set up some very limited access user accounts and there are a few extra steps because of this.
- rename all standard user accounts such as “Administrator”; and make sure “Guest” account is disabled
- Create ComputerUser account and make member of Admins. Log in with this user and customize:
- Desktop Properties Appearance Color Scheme & Advanced Desktop Color (so I can tell which machine I'm on when in Remote Desktop - each server gets a unique color scheme).
- Set Start Menu and Taskbar properties the same as my other servers.
- Turn off language bar and advanced text settings
- Create ComputerUser account and make member of Admins. Log in with this user and customize:
- OPTIONAL - change Remote Desktop Connection port (see http://support.microsoft.com/kb/306759 -- ONLY takes effect after a REBOOT!)
- set up Windows firewall on new server. Add exceptions for:
- RDC (custom port, if used)
- FTP
- HTTP
- create a special very limited Windows account for FTP use. Not a member of any groups.
- get FTP working on new server
- Control Panel > Add/Remove Windows Components > Application Server > Details > IIS > Details > FTP
- set up logging and upload folders for FTP & set permissions for ftp user account
- Deny access except to specified IP addresses/computers
- Don't allow anonymous access? Or do allow anonymous only from my IP address?
- create folder structure on new server. Here are some examples I use on a system with three drives:
- D:\InetPub\Subtext
- D:\SQLData\Subtext
- E:\SQLLogs\Subtext
- E:\Logs\WebLogs\websitename.com
- E:\Settings\IIS (for config files, etc.)
- Etc.
- install NTFS Link
- add Windows user account for LimitedWebAccount and make it a member of IIS_WPG (but not Users) on web server
- add read permissions for LimitedWebAccount account to:
- C:\WINDOWS\Temp (and maybe C:\temp) for LimitedWebAccount account
- Logging folders? Is this required???
- Website folders
- add write permissions for LimitedWebAccount account to:
- upload folders of blogs
- ?
- install MS SQL
- add security login for LimitedWebAccount to MSSQL
- Add custom trust policy as per http://blog.davestechshop.net/archive/2006/11/12/CustomTrustLevelForCommunityServer.aspx or http://blog-howto.com/archive/2006/09/24/CustomizingTrustLevelPolicy.aspx
- Note that the Feed Reader in Community Server will not work unless trust is set to Full.
- create config files for IIS web sites and app pools on existing server
- IISConfig.xml
- IisAppPools.xml
- edit IIS config files:
- change server name (H128223 to VS512001-08, for example)
- change logging folder (E:\Logs\WebLogs to C:\Logs\Websites, for example)
- Change ServerBindings IP address (208.112.91.107 to 172.16.100.202, for example)
- Change website root folder (D:\InetPub\ to C:\Inetpub\wwwroot, for example)
- On new server add custom app pools in IIS (use config file)
- set app pool Identity to LimitedWebAccount account & set password
- add web sites from config file (after checking edits for new server)
- update passwords if required
- copy website applications (CommunityServer, DNN, Subtext, etc.)
- zip up all stuff on existing server
- FTP it to new server
- unzip on new server
- use NTFS Link and set up junctions for Community Server as per http://blog.davestechshop.net/archive/2006/10/22/CommunityServerMultipleCommunities.aspx
- edit web.config files for db connection string
- Community Server (FitEyes.com) – change DbConnection String Data Source only: 2 places
- Subtext – change DbConnection string Server only: 1 place.
- Don’t forget to modify for Sql Express if required (Server=VS512001-08\SQLEXPRESS;)
- create database backups on existing server
- restore databases to new server
- using Options tab, change data and log file locations (“restore as”) as appropriate
- Add new user and remove old user (which will differ by server name)
- Subtext does not require any permissions for the LimitedWebAccount user.
- CommunityServer requires all asp_ permissions plus db_datareader and db_datawriter.
- Change DNS records
- Log into DynDns.org > My Services > “Custom DNS” for selected domain > Host record (click domain name) > enter new IP address
- test website
- If Subtext gives “Service Unavailable”, check log files in C:\WINDOWS\system32\LogFiles\HTTPERR for something like ”HTTP/1.1 GET /Default.aspx 503 1361756356 AppOffline Subtext-NoRecycle”.
- Look in EventLogs for errors like those shown below. These are all because of improper password in Identity for AppPool.
- Copy weblogs over from old server
- Set up backup jobs on new server
- Set up offsite backup (FTP transfer)
Reason: Unknown user name or bad password
User Name: WebSiteUser
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: VS512001-08
Caller User Name: VS512001-08$
Caller Domain: FUSIONAPPS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2064
Transited Services: -
Source Network Address: -
A failure was encountered while launching the process serving application pool 'Subtext-NoRecycle'. The application pool has been disabled.
The identity of application pool 'Subtext-NoRecycle' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.
- Dave's blog
- Login to post comments