Re: So near and yet so far... it's always the same with Microsoft

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 04/25/04 

Date: Sun, 25 Apr 2004 02:48:40 -0700

I agree with many of your sentiments, such as:
- IIS not having a built-in accounts for IUSR like "Network Service"
- IIS_WPG not being a built-in group
- having a DC for load-balanced webservers makes the DC the single-point of
failure for the load-balanced webservers

I also understand that you're just frustrated that you see the optimal
solution to your problem, but darn it, there's no easy way to implement it
and instead, you have to do this domain thing.

I can only argue that Microsoft is trying to write general-purpose
components that can be tailored for a large customer base; we're not writing
custom-made software (at least, those of us at IIS aren't writing
custom-made code)... and that a cost of having general-purpose is that more
optimal solutions may not always be easy.

Web hosters in your situation have turned to ADAM to provide the
domain-controller to synchronize user credentials, privileges, and ACLs on
the load-balanced machines. The SID-group tool would be a really cool
optimization for the problem, but darn it, the customer base seems to think
that writing custom software is more expensive than the Microsoft solution.

What I am interested in hearing from you is what sort of alternative,
non-domain-based solution to the user synchronization problem you'd like to
have. What should the solution look like? How would every other customer
use it? Would 5% or 90% of the customers use this? What would be the cost?
And why should Microsoft provide it versus a third party or even yourself?
There could be a business here for someone. :-) 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Tilfried Weissenberger" <tilli@weissenberger.at> wrote in message
news:a9a9d464.0404241031.2f048d64@posting.google.com...
Hi,
Why is it with many of Microsoft's technologies, that they got a great
base, but just the thing that one needs seems to have been forgotten,
or neglected or whatever?!?!
NLB is finally included with all Win2k3 Server Editions, God bless
those who decided that at M$. Way to go! I even save on a hardware
loadbalancer! With Win2k3 I can create webs and easily sync them
between my now "load-balanced" servers! And to round it off, there we
have DFS with it's useful FRS for keeping those static HTML pages on
all servers in the NLB-farm synchronized.
Wow! What a great solution!! But wait a minute, what's this? In order
to use FRS we need to somehow unify our ACLs on the NTFS resources
being synchronized, or we'll have to change/add to the ACLs for each
node in the cluster.
Now let's see. IIS installs a couple of users and groups -
IUSR_<machine> IWAM_<machine>. MS.Net uses a couple of other ones,
ASPNET, Network Service, System Service - did I forget any? But hey!
They knew what to do! They added them all into a group called IIS_WPG.
But ***, all those are local users groups! And the group doesn't use
a Well-Known-SID.
Now what was the strategy?
They (the devs) obviously didn't go for a domain-structure, since they
tied all that down into local units pretty well. I'd like that
approach more anyways, because having local rights on the webservers
would make it easy to withstand a total Domain-Failure or move back to
stand-alone, without having to change the ACLs all over. But they also
didn't think past a single-server solution.
On one hand, we got OOP session state, NLB, FRS, you name it, on the
other hand you have to re-invent the wheel to somehow "glue" it all
back together!!!
Ok, maybe I missed something, and you're going to enlight me and I'll
feel sorry. I sure hope so.
I didn't find a single tool with which one could create a group on 2
computers with a predefined SID. That would be as simple as that and
my day would be saved. But obviously NOBODY ever needed such a tool -
noone at SysInternals, noone at Microsoft, noone at Rackspace (very
large provider).
Are we really being made to create a domain-user, fiddle with a whole
bunch of rights we have to manually set on each webserver and then buy
another DC and another GC so that in case our primary GC/DC goes
down/is unavailable all our webs won't stop working??
someone please enlighten me with a solutions, that's worthy of being
implemented...
regards, Tilli
Quantcast