Random Rants & Raves

The Microsoft Solution for Windows-based Hosting 4.5 is a set of services and tools that allow hosting providers to configure, deploy, provision, manage, monitor and update their servers to provide Web, Data and Collaboration hosting using the Microsoft platforms of IIS, SQL Server and Windows SharePoint Services. Wbh consists of a number of different infrastructure components including Automated Deployment Services, Active Directory, MS System Center, Windows Server Update Services and the Microsoft Provisioning System (MPS).

The MPS is the platform that allows the hosting provider to provision services - such as the Web hosting, Data hosting and SharePoint hosting for their customers using a simplified control panel front end. However, setting up the infrastructure of MPS is quite complex and requires 8-9 server just for the management infrastructure alone. I've been working with a large number of hosters in India for enabling them on the WbH platform and this turned out to be a major stumbling block for them - both in terms of number of servers to setup and the complexity of the procedure. Microsoft India then went ahead and asked me to create a proof-of-concept for deploying MPS on a single server for demo and low end usage scenarios. I decided to do this inside a Virtual PC and install everything within it.

The WbH solution requires Windows 2003 or Windows 2008. However, the MPS service can only run on Windows 2003. To install the MPS part of the WbH infrastructure you will need to download the following two components from the WbH Download Page.

1. Service Provisioning.zip
2. Samples.zip

Installing everything into a single machine/VPC requires some creative manipulation of the Deployment Walkthrough for MPS. I will be linking to a detailed walkthrough that shows how this can be achieved a little later. However, as the title of the post says, there is a showstopper error that comes a good way into the deployment process and solving it took a fair amount of time.

When you use the Deployment Tool to go ahead and deploy the MPS Core Platform and Hosting Platform they work fine. However, when you try to install the Business Web Service on the machine, you run into a major issue. you get an exception that says:

MSI log returned non-zero error code 1603

As soon as you get this error, the system rolls the deployment of this step back and you lose the Web application and the web services that were extracted. You can check the log file for MPSWebServices.msi in the c:\ConfigShare\log folder to see the cause of this error. Open the log file in Notepad and do a search for "value 3". Look at the line above this that says:

Error setting new DACL for: C:\WINDOWS\Temp

Now this error seems innocuous enough and you might think that giving Everyone, Full Control on c:\Windows\Temp will solve the issue. Unfortunately it doesn't. Nor does deleting the folder and recreating it, changing setting in Domain Security Policy or a myriad of other things that I tried. In fact, a bunch of searches on Live and Google did not get me any answers at all on this - other than some forum posts (here, here, & here) that detailed the same error but with no resolution. In fact, the last answer on the 3rd post linked says that it is simply not possible to provision MPS on an AD server.

Further investigation in the log showed me that there is a InstallHelper.vbs script that runs a bunch of commands that perform this deployment. Searching around everywhere did not get me this file. I did get a InstallHelper.msi that unfortunately only had a DLL file within it. Extracting the MPSWebServices.msi file got me the files of the Web services itself but the installation was not complete.

It was late at night when I finally found the fix to this issue. More...
Tags: wbh, mps, provisioning, tips, msi error 1603
Categories: IIS | Internet | Microsoft | Windows Server 2008

I've been using and playing with the different betas and RCs of Windows Server 2008 all this while. In each of them, one of the nice things that I found was the out-of-the-box availability of Windows SharePoint Services (WSS) 3.0. This allowed me to use and show off SharePoint quickly in a demo and stuff. The auto installation of required Windows, IIS, and database components was a great plus as well.

Today, I went ahead and installed Windows Server 2008 Enterprise edition on a machine on my network. After setting up basic stuff on it (IIS7 with some additional options, etc.), I planned to make this a small intranet-like system for my dev team to be able to collaborate on. I went into the Roles window to add the SharePoint role and couldn't find it there. I tried looking in the Features window, but it wasn't there either. I then ran the command:

ServerManagerCMD -query | find "SharePoint"

from the command prompt to see if I could at least install it from there. But no luck. WSS seemed to have vanished from the install media. A little bit of searching however got me to this announcement that states that the RTM of Windows Server 2008 will not carry WSS3. You will need to download and install WSS3 Service Pack 1. (BTW, the announcement states that RC1 and above will not carry WSS. This is not true. I have a VPC still installed with RC1 that had WSS available and working fine).

Anyway, the download is about 104 MB. Once done I ran the SharePoint.exe that got downloaded. The first error I got was about the missing Windows Workflow Foundation.

So I went back to Server Manager and installed .NET Framework 3.0 from the Features section. Once this was done and I started the install again, it went through smoothly. I was surprised that the installer didn't use the Windows Internal Database feature that is part of Windows Server 2008. Instead it went and installed its own version of this database. After this came the SharePoint Products and Technologies Configuration Wizard - which took a little while to complete. Once this was complete, the site was ready. You could browse over to the home page after logging in (and adding the site to trusted site in IE).

My only thought on this whole thing was it sure is a pity that they removed WSS as a role in Windows 2008. It was an integrated install experience for setting up something important and it just felt much nicer than installing it by the usual download, check dependency errors, install routine.

One of the nice new features in IIS7 is the ability for administrators to lock and unlock configuration settings - both at a global level and also at a site specific level. This allows you to have scenarios like this:

1. Administrator locks a configuration section - say Authentication - Basic - at the global level. This means that none of the sites on that server can override this setting and change the authentication type.
2. Administrator locks a configuration section - say Default Document - for a particular site. Therefore that particular site will be unable to modify the default document
3. Administrator unlocks a configuration section - say the same as in (1) - for a particular site. That site therefore will be able to modify the setting and change the type of authentication

All this is done inside the main configuration files. The new IIS7 config file is found in \windows\system32\inetsrv\config\applicationHost.config. The global ASP.NET configuration file is found in \windows\Microsoft.net\Framework\v2.0.52707\config\Web.config.If you open these two files you will be able to find out what sections are locked or unlocked.

For instance, take a look at the following examples:

<location path="" overrideMode="Deny">
    <system.web>
        <membership>
            <providers />
        </membership>
    </system.web>
    <system.net>
        <mailSettings>
        </mailSettings>
    </system.net>
</location>

The overrideMode set to Deny ensures that no sites can override the membership and mailSettings sections in their own web.config files. The path attribute on line 1 can be set to "" (blank) or "." (period) to refer to the entire server.

<location path="MySite" overrideMode="Allow">
    <system.web>
        <membership>
            <providers />
        </membership>
    </system.web>
 </location>

In this section, the MySite site Allows the membership section to be overridden.

<location path="Site" overrideMode="Deny">
    <system.web>
        <machineKey />
    </system.web>
</location>

So how do you go about doing this? Well, simple actually. You can use the new appcmd tool to perform all of these. For instance:

appcmd lock config -section:system.web/membership

will lock the membership section of the configuration

appcmd unlock config -section:system.web/membership "MySite"

will unlock the membership section for only the MySite site

appcmd lock config -section:system.web/machinekey "MySite"

will lock the machinekey section for only the Mysite site

So how do you find out what are these section names? Well, you can open up the two config files mentioned above and browse through them. Or alternatively, you can get a full list of the section names using the following command:

appcmd lock config -section:?

This gives you list of all the section names/keys that you can use in the above commands.