Deploying the Target Server


Before you begin the migration process, you must deploy the target server by following these steps:

  1. Install Windows Server2003 on the target server. To follow the process described in this chapter, install Windows Server2003 with the default options.

  2. Install and configure IIS 6.0 on the target server. To follow the process described in this chapter, install IIS 6.0 with the default options.

    By default, IIS 6.0 is configured to run in worker process isolation mode. If you determined that your Web site can run in worker process isolation mode, you can continue to follow the migration process described in this chapter.

    However, if you determined that your Web site cannot run in worker process isolation mode, you must modify the code or configure IIS 6.0 to run in IIS 5.0 isolation mode. For more information about migrating Web sites to IIS 6.0 running in IIS 5.0 isolation mode, see Migrating IIS Web Sites to IIS 6.0 in Deploying Internet Information Services (IIS) 6.0 of the Microsoft Windows Server 2003 Deployment Kit (or see Migrating IIS Web Sites to IIS 6.0 on the Web at http://www.microsoft.com/reskit).

  3. Verify connectivity between the source server and the target server.

If you have already installed Windows Server2003 on the target server, installed and configured IIS 6.0 on the target server, and verified connectivity between the source and target servers, you can proceed to Migrating Web Sites with the IIS 6.0 Migration Tool later in this chapter.

Installing and Configuring Windows Server 2003

The primary concern when installing Windows Server2003 is to ensure that the security of the target server is maintained . When you install Windows Server2003 as a dedicated Web server, the default components and services are configured to provide the smallest possible attack surface. You can further reduce the attack surface of the target server by enabling only the essential Windows Server2003 components and services.

Install the Windows Server2003 operating system on your target server with the default options. If you use other methods for installing and configuring Windows Server2003, such as unattended setup, your configuration settings might be different.

To start Setup for a new installation using the CD

  1. Insert the CD in the CD-ROM drive, and then restart the computer.

  2. Follow the instructions for your operating system to boot the computer from the CD.

  3. Wait for Setup to display a dialog box, and then follow the Setup instructions.

    Note  

    When you complete the installation of Windows Server2003, Manage Your Server automatically starts. The migration process described in this chapter assumes that you quit Manage Your Server and then further configure the Web server in Add or Remove Programs in Control Panel.

Configuring Windows Server2003 Services

To enable and disable services, change the startup type of the service. You can configure the startup type of the service to one of the following:

  • Automatic . The service starts automatically when the operating system starts.

  • Manual . The service can be started by an administrator, a related operating system service, a system device driver, or an action in the user interface that is dependent on the manual service.

  • Disabled . The service cannot be started automatically or manually; to start a disabled service, you must change the startup type to Automatic or Manual .

Table 6.1 lists the Windows Server 2003 services, as well as the default startup type, the recommended startup type, and comments about the services. For each of the Windows Server 2003 services that are listed in Table 6.1, complete the following steps:

  1. Review the recommended startup type to determine whether you need to change the default startup type.

  2. Determine, based on the information provided in the comments, if the recommendation applies to your Web server.

  3. Configure the startup type for the service based on the decisions made in the previous steps.

    Table 6.1: Recommended Service Startup Types on a Dedicated Web Server

    Service Name

    Default Startup Type

    Recommended Startup Type

    Comment

    Application Management

    Manual

    See comment

    Provides software installation services for applications that are deployed in Add or Remove Programs in Control Panel.

    On a dedicated Web server, this service can be disabled to prevent unauthorized installation of software.

    Automatic Updates

    Automatic

    See comment

    Provides the download and installation of critical Windows updates, such as security patches and hotfixes.

    This service can be disabled when automatic updates are not performed on the Web server.

    Background Intelligent Transfer Service

    Manual

    See comment

    Provides a background file-transfer mechanism and queue management, and it is used by Automatic Update to automatically download programs (such as security patches).

    This service can be disabled when automatic updates are not performed on the Web server.

    Distributed File System

    Automatic

    Disable

    Manages logical volumes that are distributed across a local area network (LAN) or wide area network (WAN).

    On a dedicated Web server, disable Distributed File System.

    Distributed Link Tracking Client

    Automatic

    Disabled

    Maintains links between NTFS V5 file system files within the Web server and other servers in the domain.

    On a dedicated Web server, disable Distributed Link Tracking.

    Distributed Link Tracking Server

    Manual

    Disabled

    Tracks information about files that are moved between NTFS V5 volumes throughout a domain.

    On a dedicated Web server, disable Distributed Link Tracking.

    Error Reporting Service

    Automatic

    See comment

    Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped , then Error Reporting will occur only for kernel faults.

    On a dedicated Web server, disable Error Reporting Service.

    Fax Service

    Manual

    Disabled

    Provides the ability to send and receive faxes through fax resources that are available on the Web server and network.

    On a dedicated Web server, this service can be disabled because sending and receiving faxes is not a typical function of a Web Server.

    Indexing Service

    Manual

    See comment

    Indexes content and properties of files on the Web server to provide rapid access to the file through a flexible query language.

    On a dedicated Web server, disable this service unless Web sites or applications specifically leverage the Indexing Service for searching site content.

    NetMeeting Remote Desktop Sharing

    Manual

    Disabled

    Eliminates potential security threats by allowing domain-controller remote administration through NetMeeting.

    Performance Logs and Alerts

    Manual

    See comment

    Collects performance data for the domain controller, writes the data to a log, or generates alerts.

    This service can be set to automatic when you want to log performance data or generate alerts without an administrator being logged on.

    Print Spooler

    Automatic

    See comment

    Manages all local and network print queues and controls all print jobs.

    On a dedicated Web server, this service can be disabled when no printing is required.

    Remote Access Auto Connection Manager

    Manual

    See comment

    Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection.

    On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.

    Remote Access Connection Manager

    Manual

    See comment

    Manages VPN and dial-up connection from the Web server to the Internet or other remote networks.

    On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.

    Remote Desktop Help Sessions Manager

    Manual

    Disabled

    Manages and controls Remote Assistance.

    On a dedicated Web server, this service can be disabled. Use Terminal Services instead.

    Remote Procedure Call (RPC) Locater

    Manual

    See comment

    Enables RPC clients using the RpcNs* family of application programming interfaces (APIs) to locate RPC servers and manage the RPC name service database.

    This service can be disabled if no applications use the RpcNs* APIs.

    Removable Storage

    Manual

    See comment

    Manages and catalogs removable media, and operates automated removable media devices, such as tape auto loaders or CD jukeboxes.

    This service can be disabled when removable media devices are directly connected to the Web server.

    Telephony

    Manual

    See comment

    Provides Telephony API (TAPI) support of client programs that control telephony devices and IP-based voice connections.

    On a dedicated Web server, this service can be disabled when TAPI is not used by applications.

    Telnet

    Manual

    Disabled

    Enables a remote user to log on and run applications from a command line on the Web server.

    To reduce the attack surface, disable Telnet unless it is used for remote administration of branch offices or of Web servers that have no keyboard or monitor directly attached (also known as headless Web servers) . Because Telnet traffic is plaintext, Terminal Services is the preferred method for remote administration.

    Terminal Services

    Manual

    See comment

    Allows multiple remote users to be connected interactively to the Web server, and provides display of desktops and run applications.

    To reduce the attack surface, disable Terminal Services unless it is used for remote administration of branch offices or headless Web servers.

    Upload Managers

    Manual

    See comment

    Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks for the permission of the client to upload the hardware profile of the Web server and then search the Internet for information about how to obtain the appropriate drivers or how to get support.

    To reduce the attack surface, disable this service on dedicated Web servers.

    WinHTTP Web Proxy Auto-Discovery Service

    Manual

    See comment

    Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP services (WinHTTP) and enables an HTTP client to automatically discover a proxy configuration.

    On dedicated Web servers, this service can be disabled

    Wireless Configuration

    Automatic

    See comment

    Enables automatic configuration for IEEE 802.11 adapters.

    On dedicated Web servers without wireless network adapters, this service can be disabled.

    WMI Performance Adapter

    Manual

    See comment

    Provides performance library information from WMI providers to clients on the network.

    On dedicated Web servers that do not use WMI to provide performance library information, this service can be disabled.

After determining which Windows Server 2003 services need to have a different default startup type on your Web server, complete the steps in the following procedure to modify the startup type.

To configure the startup type for Windows Server2003 services

  1. Open Administrative Tools, and then click Services .

  2. In the details pane, right-click the Windows Server2003 service that you want to change, and then click Properties .

  3. On the General tab, in the Startup type list box, click one of the following:

    • Automatic . The service starts automatically when the Web server is restarted.

    • Manual . The service can be started manually by an administrator or by another service.

    • Disabled . The service cannot be started by an administrator or by another service unless the startup type is changed to Automatic or Manual .

  4. Click OK to save the changes.

Installing and Configuring IIS 6.0

For security reasons, IIS 6.0 is not installed during the default installation of Windows Server 2003. Thus, the next step in deploying the target server is to install and configure IIS 6.0.

As with installing Windows Server2003, your primary concern when installing and configuring IIS 6.0 is to ensure that the security of the target server is maintained. Enabling unnecessary components and services increases the attack surface of the target server. You can help ensure that the target server is secure by enabling only the IIS 6.0 components and services that you need to use on your Web server.

Note  

The migration process presented here assumes that you install IIS 6.0 with the default options in Add or Remove Programs in Control Panel. If you use other methods for installing IIS 6.0, the default configuration settings might be different.

Install and configure IIS 6.0 by completing the following steps:

  1. Install IIS 6.0 with the default options in Add or Remove Programs in Control Panel.

  2. If the Web site on the source server uses FrontPage Server Extensions, install FrontPage 2002 Server Extensions from Microsoft on the target server.

  3. Configure IIS 6.0 components and services, making sure that you only enable the components and services that your Web site needs to run correctly.

To install IIS 6.0 from Control Panel

  1. In Control Panel, double-click Add or Remove Programs .

  2. Click Add/Remove Windows Components .

  3. In the Components box, click Application Server , and then click Details .

  4. In the Subcomponents of Application Server box, click Internet Information Services (IIS) , and then click OK .

  5. Click Next to start the installation.

To install FrontPage 2002 Server Extensions from Control Panel

  1. In Control Panel, double-click Add or Remove Programs .

  2. Click Add/Remove Windows Components .

  3. In the Components list box, click Application Server, and then click Details .

  4. In the Subcomponents of Application Server box, click Internet Information Services (IIS) , and then click Details .

  5. Click FrontPage 2002 Server Extensions , click OK twice, and then click Next to start the installation.

Configuring IIS 6.0 Components and Services

Enable only the essential IIS 6.0 components and services that are required by your Web sites. Enabling unnecessary components and services increases the attack surface of the Web server.

For each of the subcomponents that are listed in Table 6.2 and Table 6.3, complete the following steps:

  1. Review the recommended settings to determine whether you need to make changes to the default settings.

  2. Determine, based on the information provided in the comments, whether the recommendation applies to your server.

  3. Enable or disable the component based on the decisions made in the previous steps.

    Table 6.2: Subcomponents of Internet Information Services (IIS)

    Subcomponent

    Default Setting

    Recommended Setting

    Comment

    Background Intelligent Transfer Service (BITS) server extension

    Disabled

    See comment

    BITS is a background file transfer mechanism used by applications such as Windows Updates and Automatic Updates.

    Enable this component when you have software that depends on it, such as Windows Updates or Automatic Updates to automatically apply service packs , hot fixes, or install other software on the Web server.

    For more information, see Obtaining and Applying Current Security Patches later in this chapter.

    FrontPage 2002 Server Extensions

    Disabled

    See comment

    Provides FrontPage support for administer-ing and publishing Web sites.

    On a dedicated Web server, disable when no Web sites are using FrontPage Server Ex-tensions.

    World Wide Web Service

    Enabled (See Table 6.3 for subcomponents)

    No change

    Table 6.3: Subcomponents of the World Wide Web Service

    Subcomponent

    Default Setting

    Recommended Setting

    Comment

    Active Server Pages

    Disabled

    See comment

    Provides support for Active Server Pages (ASP).

    Disable this component when none of the Web sites or applications on the Web server uses ASP. You can disable this component in Add or Remove Windows Components, which is accessible from Add or Remove Programs in Control Panel, or in the Web Service Extensions node in IIS Manager.

    For more information, see Enabling ASP and FrontPage Server Extensions later in this chapter.

    Server-Side Includes

    Disabled

    See comment

    Provides support for .shtm, .shtml, and .stm files.

    Disable this component when none of the Web sites or applications on the Web server includes files with these extensions.

    World Wide Web Service

    Enabled

    No change

    Provides Internet services, such as static and dynamic content, to clients.

    This component is required on a dedicated Web server.

Verifying Connectivity Between the Source Server and the Target Server

Before you run the IIS 6.0 Migration Tool, you must ensure that the target server can establish a connection to the source server, and you must verify that the IISAdmin service is started on the source computer.

The IIS 6.0 Migration Tool requires only read access to the Web site content and configuration settings on the source server. Therefore, the source server can remain online in your production environment. However, you might need to remove the source server from your production network and move it to a private network segment that has direct network connectivity to the target server under the following circumstances:

  • Firewalls that exist between the source and target servers prevent the migration tool from performing the migration. This often occurs because the migration tool uses DCOM ports that are blocked by the firewalls for communicating with the source and target servers.

    Security-related configuration settings on the source server need to be modified to allow the migration tool to work.

    Examples of these security-related configuration settings that can prevent the migration tool from working include the following:

  • Remote access to disk volumes through administrative shares is prohibited .

    The IIS 6.0 Migration Tool requires access to the disk volume that contains the Web site content to perform the migration. For example, if the Web site content is stored in D:\Inetpub\Wwwroot, the migration tool must access the administrative share (D$) of the disk volume. The administrative shares are often removed to help prevent unauthorized access to the Web server. In order to use the migration tool, you must re-create the appropriate administrative shares.

  • Remote access to the source server must be allowed for members of the local Administrators group on the source server.

    For security reasons, many organizations restrict the members of the local Administrators group so that they can only log on locally, not over the network. However, the migration tool must be able to remotely access the source server over the network, as a member of the local Administrators group.

To verify connectivity between the source server and the target server

  1. On the target server, open IIS Manager, click Action , and then click Connect .

  2. Type the name of the source server in Computer name: or click Browse to navigate to the source server, and then click OK .




The Microsoft Windows Server Team Migrating from Microsoft Windows NT Server 4.0 to Windows Server 2003
Migrating from Microsoft Windows NT Server 4.0 to Windows Server 2003
ISBN: 0735619409
EAN: 2147483647
Year: 2004
Pages: 96

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net