Installing CF 9 on a Server 2008 R2 domain controller?

Carl,

Thank you for the response. It already has IIS running for the Trend Micro WFBS antivirus server and console, so that is good to go, and it has the WatchGuard log server on it for the firewall. All of that running, and it barely touches the resources of the hardware.

The more I think about it, the less I think it being a DC is an issue, at least from a hardware standpoint. Really, how much work does a DC do on a small domain? Not much! Think about SBS servers: they have the AD role, Exchange, SharePoint, and often an LOB app, and they run perfectly.

I prefer two-server networks and a domain for ease of management and better security, but we may have to make do with what we have on hand. No money right now for a second server!

What is your opinion of a virtualized CF 9 server? Their developer did not like the idea. I'm just curious.

Gregg Hill

Hi Gregg,

I tend to find if a site is running virtual (VM or hyper-V) well for other applications (Exchange, ISA etc) then CF on their virtual structure should be just fine. If they run “metal” for everything and want to install CF on virtual then more as likely issues will be encountered. I have a personal preference for metal.

HTH, Carl.

I don't believe there's any technical reason why it won't install, it's just a Java application. Certainly the hardware is more than up to it, as you say AD boxes tend to be separate purely for sandboxing purposes rather than performance ones, most of them sit there doing nothing all day, with all config stored in RAM.

I suspect it's purely a security issue. If someone hacks your site, they have read access to pretty much everything on your AD controller, which is generally considered a bad thing. For that reason, I'd think carefully about it.

What I'd do (and this links nicely onto your Virtualisation question) - is virtualise the lot. I work for a hosting company (by no means the cheap-end) and all our new shared servers are virtualised. The limitations within CF all tend to be to do with heap sizes, running hundreds of sites on one CF box (which is certainly possible, it's how our older servers are configured) is absolutely fine, but it only takes one customer with a dodgy loop or hung thread to bring the box down. Increasing heap sizes can fix some problems, but CF then slows down trying to manage that much memory.

What we do now is to have one high-spec physical box. Install VMware ESXi on it, and create four or five virtual machines. The same number of customers are then on the same physical box, but are spread across several CF installs. Everyone gets better performance, and not once (touch wood) has it come back to bite us in the ass.

You could then install your AD box, CF box, SQL servers (if you wanted to) as individual virtual machines on the same hardware. You get all the security benefits for zero extra cost.

The idea of not even considering virtualisation is a foolish one, and generally (although there are exceptions) running one install per physical box is becoming increasingly wasteful, on both resource and finance.

Virtualisation FTW, as they say...

"If someone hacks your site, they have read access to pretty much everything on your AD controller...."

The new server is behind a firewall that requires authentication before it opens port 80 to the web database the company uses for a handful of remote users, and that database also requires a user name and password. I think from that standpoint it should be secure.

Then again, the CF developer will probably be the determining factor.

Gregg

Well, I never made the server into a DC, but after CF9 was installed, the web console for Trend Micro WFBS fails. It seems that a "handler" named "AboMapperCustom-17082" has taken over and will not let the Trend Micro "OfficeScan" web site run executables it needs to display properly.

This text is copied from a failed window in the WFBS (Worry-Free Business Security) web console that uses the "OfficeScan" web site. I am NOT a programmer, so I have no idea if I can bypass that handler, or why it even effects a completely different virtual web site than the CF 9 site.

Server Error in Application "OFFICESCAN"Internet Information Services 7.5

Error Summary
HTTP Error 403.1 - Forbidden
You have attempted to run a CGI, ISAPI, or other executable program from a directory that does not allow executables to run. Detailed Error InformationModule IsapiModule
Notification ExecuteRequestHandler
Handler AboMapperCustom-17082
Error Code 0x80070005
Requested URL https://server-main:4343/SMB/console/html/products/product_list_frameset.htm
Physical Path C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Web_SMB\Web_Console\html\products\product_list_frameset.htm
Logon Method Anonymous
Logon User Anonymous

Most likely causes:
The "Scripts" or "Scripts and Executables" flag is not configured in Rights and Permissions at the server, site, application, or page level.
The configuration/system.webServer/handlers@accessPolicy attribute does not have Script or Execute configured.
Execute access is denied when you try to run a CGI file or other executable.
Script access is denied when you try to access an ASP, ASP.NET or other dynamic scripting file.
The script mapping for the file you are trying to run is not configured to recognize the HTTP verb you are using (such as GET or POST).
The HTTP verb for the script mapping is case sensitive, and use upper case. The HTTP verb "POST" is correct, while "post" is incorrect and execution is denied.

Things you can try:
Enable scripts to run for the requested resource.
Open IIS Manager and navigate to the level you want to manage.
On the Features page, double-click the Handler Mappings feature.
On the Handler Mappings page, in the Actions pane, click Edit Handler Permissions.
In the Edit Handler Mappings dialog box, select Scripts to enable handlers that require script rights.
Verify the configuration/system.webServer/handlers@accessPolicy setting at the server, site, application and page level.
Verify that the script mapping is configured to recognize the HTTP verb you are using, and that the verb is in uppercase.
Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.
Links and More InformationThis error occurs when the Execute Rights setting for the requested resource does not allow scripts to run. Set the Execute Rights property for the resource at the server, site, application, and file level. To resolve this problem, verify the Execute Rights setting at each of these levels, and set the appropriate Execute Right at the desired level.
View more information »

Microsoft Knowledge Base Articles:

318380

Well, the easy fix was to remove the Trend Micro software and reinstall it using its Apache web server choice. It works fine.

That still does not explain WHY CF9 threw its own "handler" item into ALL virtual web sites and screwed up the other sites. Personally, I think the guy who assisted the developer installed it incorrectly so that it took over all sites rather than just the one for the CF9 app.

We may never know!

Thank you for your help, everyone!

Gregg Hill

That still does not explain WHY CF9 threw its own "handler" item into ALL virtual web sites and screwed up the other sites. Personally, I think the guy who assisted the developer installed it incorrectly so that it took over all sites rather than just the one for the CF9 app.

Yup, during the installer there's an option to install for "All Websites" or "Specific Websites" - it certainly does for IIS, so I assume it's the same for Apache. I bet if you skipped that step and manually ran the Web Server Connector afterwards you'd be able to install it without breaking any other sites

Owain,

I initially had the Trend Micro software running fine on IIS 7. It was only after the CF9 installation that it choked, so I removed it and installed it with its own Apache option. Apache is ONLY for Trend Micro, and only because CF9 broke it. Trend Micro says that CF9 does not cause problems for their software, so it looks even more like CF9 was set to apply to all sites.

I should have had the developer fix the problem caused by CF9.

Now that his installation is done, is there a way to undo the fact that it applies to all sites?

Gregg Hill

Hi Gregg,

>Now that his installation is done, is there a way to undo the fact that it applies to all sites?

You could run:

ColdFusion9\bin\connectors\Remove_ALL_connectors.bat

Then you will need to run WSCONFIG tool to join CF to a webserver / site.

HTH, Carl.