Installing Windows Server 2016

A short story on the reason for installing this Operating System on my previous 2008 R2 web hosting system: IIS 7.5 will not support more than one web site that requires SSL (Secure Socket Layer) which uses port 443 exclusively. So I had to spend another 120+ USD to get the OS and then backup my web sites, data bases, etc, ect. Once that was done format and install...

After my struggles to get the Windows Server 2008 R2 installed and operational then doing it again with Server 2016 it was a little easier, I only had to wipe the drive once when I made a mistake... Opppss

Actually if you follow the (limited) documentation it is fairly straight forward; about like Windows 7 or 10.

A fresh install requires some customization, mostly it is with the services and mainly the networking; this is what is called a dual homed computer, that means I have two dissimilar network cards, one for the local network and one for a direct connect, no firewall through a router straight to the internet; this is called a DMZ (Digital Media Zone) that is outside the firewall giving the OS services and web sites direct access - along with any hackers (until it is locked down!).

To keep the confusion (mine and the OS) to a minimum I configured the local network first, with that done I worked on getting the rest of the OS ready for the IIS install. The main reason for leaving the internet network alone is I can connect remotely to the computer and work in an environment that is better than the 1024x800 video, a keyboard, and mouse at he computer, and that is at my desk.

After getting the basics done I do a little customizing of the desktop, rename the Administrator, insure a strong password (Best Practices) then create my logon, password, then add it to the Administrators Group. Finish the setup that needs to be done for a standard server, only one service or role will be installed along with all the "Prerequisite Features" and that is IIS 10.

I am now ready to install the next NIC, then connect to the router in the DMZ, after installation and configuring I can ping the IP, good to move on to:

Server 2016 IIS 10 installation

After learning the new lay out for IIS after the old IIS 6 with Server 2008 R2, finding a lot of the stuff for IIS 10 was fairly easy and besides with the previous experience I bookmarked all of the pages I found trying to get IIS 7.5 to run. However before doing any of that I made an image of the OS drive and the "System Reserve" incase what I do can not be undone, believe me this is a necessary precaution, epically when you are doing it for the first time and learning as you go...

Now ready to install the roles and features, if you haven't seen the new and "improved" Server Manager applet and are familiar with the older version well get ready for not doing things easier and faster... For us older MCSE's that haven't had the pleasure of getting accumulated to this new applet let me say it is by far not easier, nor is it faster. After poking around in it for some time I got the hang of setting up the IIS 10, I picked out the "features" I knew I would need like .Net 2+ .Asp, .CGI, .ect and then sat back a waited, and waited, ya, it takes a long time to load all that stuff... Then it needed a restart.

Moving to Server 2016 IIS 10 install...

Because in the M$ world there is only one mass storage device in a server, you know C: drive so everything gets installed there. Once the installation was complete I now had to test the IIS 10 hosting server for connection to the "Default Web Site" before I move it to a different drive (which I prepared as part of my prerequisites: Take exclusive ownership of the drive, give my user id full rights, leave the other basic ID/Groups that were added when the format was complete alone. Give the group "Everyone" read only access)  I check the default web site from another couple of workstations, I get the iistart.htm page, I can connect; that is good, however that is a basic web site of one page and an image.

When I moved IIS 7.5 to the drive I had to do a search for installing IIS on a non-system drive, I used that information (in a batch file) to move the IIS 10 from the C: drive to another drive. After testing the default web site again I am ready for my next batch of hurdles, configuring Asp, CGI, Authentication and so on. For the most part the added features are fairly easy to configure once you find the information, if you need help try searching Microsoft's web site for "Configuring IIS" the articles are well laid out and informative.

Server 2016 IIS 10 adding web sites

Because I have a domain for this site I can not use my local IP for testing these sites, now I have to use my NIC that is connected to the DMZ, this will give me access to the web sites the same as being out on the internet and connecting, well kind of. Because my "work" computer is behind two firewalls and the DMZ it outside the firewalls to connect I have to change my network connection to the DMZ ip then with the IP address in a host file connect to the web site. The web site domain is hosted elsewhere so to get a page on the web site the NIC has the DNS from my ISP. The connection is fairly fast because all the domain information is being sent form the hosting company. So a little (no a lot) of back and forth from behind the firewalls to work on any problem I am having with the connection to outside the firewalls to the DMZ... Luckily I have two computers and a KVM switch between them - back and forth...

Server 2016 IIS 10  now for SSL

Now I believe I am ready to add my web site and blog; crossing fingers I copy the web site directories from my external storage drive to the web drive, then add them the connections/sites and start to do my specialized configuration of each site.

This web site was fairly easy to add, I had done the SSL and the renaming of the web pages and links with the Server 2008 R2 SSL install, a new certification for www.diy-computer-repair.net, set the SSL applet for the web site, do the bindings and select the appropriate certificate, remember to check the box on the bindings applet to use "Require Server Naming Indication" (SNI) then add the primary and secondary names for this web site, select the certification and then test... Yup, looks good.

My next hurdle will be the blog, when I was struggling with IIS 7.5 I decided that using a virtual directory would not work, that is on the drive you have the web site directory such as: www.myweb.com, under is will be all the files the web site will deliver, a virtual directory would be say "blog" so you would add the directory blog under "www.myweb.com", then create the virtual directory to say "www.blog.myweb.com" that would not work because the certification I made at my hosting company -www.dnsexit.com - was not allowed to use on a second web site even though it was under the same web site... this is what I had:  fix-it-blog.diy-computer-repair.net.

After some research I found a few ways to work around this problem, unfortunately none of them would work, that is when I did the bindings and picked the certification for the web site, the configuration would fail for this web site, even with a separate certification for the blog the binding would fail. Doing some more research I found that any IIS before 8.5 would not handle more than one binding for the port 443. Another suggested work around was to use another port, however moving the binding to another port would not allow for the certification to be verified and the binding would fail for SSL...

So my next choice (after working on this for a few days was to upgrade my OS to Server 2012 and IIS 8+, well no, not in stock in the places I looked, ebay had a few but Server 2016 was cheaper and newer so that is what I ordered. I would get the DVD and license in ... Two Weeks! Or I could pay an extra 28 USD for Fedx or UPS to get it in two days, what? It is coming from LA Cal, before Covid-19 it would take mail three days to get here, two weeks now, my how the world has changed.

Server 2016 IIS 10 and the firewall

Well I should have said Server 2016 updates and the firewall. As with all new server builds one of the first things you should do before making any changes is run the windows update service. Why? Because with the best practices there are un-needed or wanted services that are enabled, these services may have an update however if they are disabled then the update service will either not install an update or the update will fail.

I had done some work on the firewall, blocking (not disabling) some of the more useless ports such as xbox, your account, work or home account, your email, ect. You could disable the service port but that does not block the use of the port! If you want to keep the hackers at bay the "block" that port not disable it. This little task takes some time so to fill the time the updates were being done I did my firewall work. Bad idea and a waste of time: Either the update service stopped the update of the firewall data or one of the updates reset the firewall back to default settings. I learned a lesson here: back it up! Use the export function built into the applet and make a copy of any changes.

Server 2016 IIS 10 and making a blog work

Once the firewall, services, and updates are done back to the blog. The virtual directory thing did not work with IIS 7.5 (I may try it on IIS 10 later) so I decided a sub domain would be better because when you buy or make your SSL certification (most hosting company offer this as a free service) you can make a certification that covers all of your domain and any sub domains such as I have two domains and web sites: https://www.diy-computer-repair.net and https :// fix-it-blog.diy-computer-repair.net however they are covered by one verifiable certification: *.diy-computer-repair.net and with IIS 10 I can bind both web sites to that certificate. How nice, a month, 120 USD, and a install Server 2016 with IIS 10 and I can touch both of my web sites with SSL or in lay terms: HTTPS   Fantastic!

There is more to this saga and I will be posting more pages here and some tid bits on the newly restored fix-it-blog.diy-computer-repair.net...

If you have any comments or suggestions fell free to post them on the soon to beoperational Blog...