Active Directory, IIS 7.0 web-farm reference

This post is targeted at helping IIS Administrators understand how Active Directory can be used by IIS web-farms.  My goal is to help anyone looking to deploy IIS (in a web-farm scenerio) and use Active Directory as a authentication store.  There are several moving parts related to a web-farm. 

  1. Content deployment

  2. Configuration management, including Shared Configuration   

  3. SSL certificates   

  4. Logging   

  5. FTP deployment using Active Directory.   

  6. Load-balancing (hardware and software)   

  7. Hardware selection for web-farms.  

  8. Virtual servers or physical machine. 

As you can see, it’s easy to get confused and makes troubleshooting a web-farm more difficult than a stand-alone server.  For purposes of this post, we’ll focus on Active Directory and web-farms.   Here is a introduction of the topics we’ll be covering in this post.


  • What is a web-farm?

  • Why do I need a web farm?

  • How do I distribute traffic to all machines?

  • What is a Virtual IP address?

  • Diagram of a web-farm?

Active Directory

  • What is Active Directory?

  • Do I need Active Directory?

  • Diagram of Active Directory

Deployment of a test environment

  • Deploying Active Directory

  • Deploying member servers with IIS

  • Setup your machines. 

  • Setting up on Server1, Server2

  • Setup NLB (network load-balancing)

  • Create AD users and Groups

  • Create Remote Share on file server

  • Configure IIS to use a remote share.


What is a web-farm?  A web-farm is 2 or more machines hosting a single instance of a website.  Pretty simple huh?!  Yes, that is the definition of a web-farm.   Wikipedia has a reference to a Server Farm.  Web-farm or Server farm, they pretty much are the same thing, just worded differently.  Wikipedia’s definition includes the term “cluster”.  

In my opinion, a cluster provides failover of a single instance of something.  For example, if you have two machines hosting a single instance of a database.  The database instance only runs on a single server.  The other server participating in the cluster is idle.  I refer to two machines hosting a single instance as a Active / Passive Cluster.

Why do I need a web farm? – Running a single website on multiple machines has many benefits.  Probably the biggest reason is scalability followed by redundancy.  Scalability is used when you need your website to handle increasing workloads or peaks in traffic.  Another benefit provides for controlled change management in a production environment.  For instance, you have 2 machines in your web-farm and you want to update your website.  You can take Server1 out of rotation, update and test the code, then introduce back into rotation.  If you experience issues, you can reverse the code changes back to the original set of files.  While you have been testing your updates, the website has been running without interuption on Server2. Once you have worked out any issues, you can perform the same steps on Server2 while Server1 would be handle requests.

How do I distribute traffic to both machines?  You would use some form of load-balancing.  Microsoft provides a free version called Network Load-balancing.   There are also 3rd party load-balancers by Cisco, F5 and Foundry networks.   You could use DNS round-robin load-balancing.  You would setup two separate A records pointing to a single DNS name. (  For example, Server1 ip address is and Server 2 is   You would have an A record pointed to (Server1) and another A record pointed to (Server2).  When a person requests a record for, one request would go to Server1, the second request would go to Server2.  The downside of using DNS load-balancing, if a server is not responding, in this example half of your requests would fail.

What is a Virtual IP address? A virtual ip address (VIP) is usually not connected to a specific server.  It’s normally configured on a hardware load-balancer that distributes traffic.  If you are using Microsoft’s NLB, it has the ability to distribute traffic to multiple machines while not being tied to a specific server.  Confused?!  For more information how Microsoft’s NLB works, please review the documentation.  One clarification, if you were using DNS round-robin to distribute traffic, there would not be a need for a virtual IP address.

Web-farm Diagram


Active Directory

What is Active Directory? Active Directory is Microsoft’s version of directory services.  Directory services provides a central database for authentication, print services, file share access and other features.  Here is the wikipedia definition.  Active Directory provides LDAP (lightweight directory access protocol) services.   Active Directory uses DNS to help resolve the name of objects including servers, domain controllers.  For purposes of this article, we will not cover in-depth Active Directory rather show how it’s used in a web-farm scenerio.  For more information on Active Directory, we recommend checking out Technet.

Do I need Active Directory for a webfarm?  You technicially do not need Active Directory to run a web-farm.  Each machine could be a stand-alone server and use the local SAM database for user accounts.  If you needed to do authentication between machines.  You need to create the same user account, password and grant the same permissions.  The strength of using Active Directory is the ability to have a central authentication resource.  For our purposes, we’ll be using domain accounts for application pools, anonymous users.

Diagram of Active Directory

Deployment of a test environment

For purposes of this article, I’m going to use Virtual PC for showing how easy it is to setup an environment.  You could also use VMWare or Hyper-V for testing.  The host machine is running Windows Server 2008 enterprise x64 edition.  There is 4 GB of RAM and 250 GB IDE hard-drive.  (PS:my host machine doesn’t support hyper-V)

Necessary software / Assumptions

Setup your machines.

  • Download and install Virtual PC

  • Download ISO version of Windows Server 2008

  • Create a single instance of Windows Server 2008.  The first machine will be DC1

  • Create a second machine, this will be DC2.

  • Create a third machine, call it Server1 (Inside this VM, add additional Network Adapter)

  • Create a forth machine, call it Server2 (Inside this VM, add additional Network Adapter)

Create Websites on Server1, Server2

  • Create a website on both servers, point to c:inetpubwwwroot.  This will be changed later on to use a remote share.

Setup NLB (network load-balancing)

For our example, we setup Microsoft network load-balancing. 

Create AD users and Groups

Log into your domain controller, create 3 items (an FTP user, anonymous user and Group)

Create Remote Share on file server

This section covers setting up your file server and granting permissions to the AD group

Configure IIS to use a remote share.

This section covers setting up IIS to use the remote share, setting the application pool to use the AD user.

In-summary this article covers how to setup and configure an environment using Active Directory as the authentication store with web-farms.  Web-farms can help with scalability and redundancy.   Here is some additional resources I found while writing this blog.

I hope you find this article help.

Steve Schofield
Microsoft MVP – IIS

Active Directory, web-farm reference links review

After several years of having a static ip address, I switched my DSL service that has only a dynamic (DHCP) ip address.  I knew I would miss having a static IP address. offers a free service where you can install a agent on your machine.  Here is more information about the service.  When your ip address is updated from your provider, the DNS name you created automatically is updated.  There is no need to remember the ip address.

I used for DNS resolution years ago and their service is impressive.   They offer a wide array of services including mail forwarding, server monitoring and more services which are DNS related.  I can’t think of another DNS provider as stable as they have been.  In all the years I used them, the only outage was a brief one when MS Blaster hit.  Yes, that has been a few years ago.  ๐Ÿ™‚ 

So if you have a dynamic ip address and occasionally want to access your home machine, being able to create a DNS name is as easy as 1..2..3. 

If you have another service similar to this, please let me know. migration from gmail

I recently switched how I read my listserv email to a mail account. is coming along in their features.  Google rules the world and I’ve yet to see many positive posts on (none actually).  I wanted to share my experience.  I have several email accounts route to a central account.  I use a central account to read and archive Listserv messages.  I was using Google’s gmail and for the most part, it was ok.  I missed the ability to separate messages into folders outside my inbox.  I dread a cluttered inbox, from what I can tell, the Gmail offers labels and archiving features isn’t quite what I was looking for.  I like to separate messages into individual folders. has the look and feel of Outlook, which allows me to create separate folders.  Then I can have mail messages go directly to specific folders.  I can casually browse specific folders when I want.  So far, the SPAM has been nearly perfect, I’ve had no issues with much SPAM getting into my inbox. 

The real kicker for me was how Gmail’s lack of support to read posts from  I answer a fair amount of questions, when someone responses, I’m notified.  When I browse with Gmail’s reader, the response is blank. I had to browse to the site to review the response.  When I read with, replies shows up directly in the message.  I never got used to Gmail’s feature where messages are consolidated into a single message.  Maybe it’s just me, but I’d rather not have that. 

My account does display ads, but I have no issues ignoring them.  In addition, a free account gets 5 GB of space.  So I have no worries of running out of space.   I still use Google for searching, I’ve not totally taken the plunge to migrate all my stuff.  I’m a Microsoft platform person, so maybe my entire view is slanted.  I wanted to share my experience and maybe get others feedback.  I’m sure I will.  ๐Ÿ™‚

Happy emailing!


IPSecurity restrictions in IIS 6

I made a reference to the IISOle.dll and used the following code to add restrictions.  It requires .NET 3.5.   You can use Visual Basic Express to compile the code.  Thanks Brent for the assistance!

Imports System.DirectoryServices
Module Module1

    Sub Main(ByVal v_arrArgs As String())

        Dim args() As String = Environment.GetCommandLineArgs
        Dim y As Integer
        For y = 1 To UBound(args)
    End Sub

    Sub ProcessIT(ByVal value As String)
        Dim ServerIP As String
        Dim IPAddress As String
        Dim SiteID As String
        Dim arrSplit As String() = Nothing

        arrSplit = value.Split(CType(“!”, Char))
        ServerIP = arrSplit(0)
        IPAddress = arrSplit(1)
        SiteID = arrSplit(2)
        Dim Dir As New DirectoryEntry(“IIS://” & ServerIP & “/W3SVC/” & SiteID & “/ROOT”)
        Dim IpSec As IISOle.IPSecurity = Dir.Properties(“IPSecurity”).Value
        IpSec.GrantByDefault = True
        Dim IpList = (From Ip As String In CType(IpSec.IPDeny, Object())).ToList()

        For Each item As String In IpList
    End Sub

End Module

Here is a forum post.


Steve Schofield

Personal: – Open Office 2.0 and printing Envelopes

Thought I would pass this tip along.  I recently setup my parents computer with Open Office (WinXP too).   My parents needed basic Office functionality, I was impressed with the Open Office suite.  My Dad uses the envelopes feature the most.  They had a HP 940 printer, which would handle printing envelopes.  I was getting inconsistant results when getting it to work with one printer configuration.   

What I wanted to pass along for others looking at Open Office, I created a ‘default printer’ option with regular settings.  I created an additional printer setup to support Envelopes, which was pointing at the same printer.  So inside Open Office, when I wanted to print envelopes, I chose the ‘envelope printer’.  This worked liked a charm.  I got the idea from a post here

Hope this helps.



URLRewrite for IIS 7.0 released

IIS team has made the URL Rewrite Module for IIS 7.0 Release To Web (RTW) available for download. This is a final, production-ready release that is officially supported by Microsoft.

Install the URL Rewrite Module for IIS 7.0 RTW today!

Great job Ruslan and IIS team, one more module closer to Apache. ๐Ÿ™‚

Lots of articles posted on


Steve Schofield
Microsoft MVP – IIS