Configuring highly available FTP server on existing Windows Server 2008 failover cluster – without FTP dedicated storage

More than once I had to setup “light” FTP server after the failover cluster has been deployed and additional storage for FTP was not planned. Also, additional servers for highly available FTP were not an option. Microsoft has an article that describes how to configure highly available FTP site in a Windows Server 2008 failover cluster. The problem with that solution is that it requires additional available storage for your FTP site, and simply said it’s a bit complicated. I’ll show you how to quickly setup highly available FTP server on existing Windows Server 2008 failover cluster without FTP dedicated storage.

Please be careful that you don’t impact the performance of your database or any other clustered application by setting up high volume FTP server on existing shared disk. High volume FTP usually work with lot of files which can create a substantial load on your storage.

Steps are:

  • Create domain user for FTP
  • Create FTP root folder, user root folder and assign permissions
  • Setup FTP IP address
  • Create and configure FTP on each cluster node
  • Make FTP server highly available

Prerequisites:
Make sure that IIS 7.0 is installed on each cluster node.
If you are using Windows Server 2008, do not include the “FTP Server” role, instead download and install FTP 7.5 from one of the following locations:

If you are using Windows Server 2008 R2 include the “FTP Server” role when installing IIS 7.0.

Create domain user for FTP:
In ADUC create user for FTP and assign them a least possible permissions on each cluster node.

Create FTP root folder, user root folder and assign permissions:
Make sure you are logged in to a cluster node that owns a cluster group with the storage where you will place your FTP root folder. Every FTP server needs a root folder and in our case we will need a subfolder structure for isolating users. The FTP server’s engine logs in a user according to a username. For domain users home folder will be: %FTPRoot%\%UserDomain%\%UserName%

Example: We created a domain user ftpuser@mydomain.local and full path to its FTP home folder will be %FTPRoot%\MYDOMAIN\ftpuser.

After creating folders, for each user’s folder set the following properties:

  • On Security tab under Advanced disable “Include inheritable permissions from this object’s parent”.
  • Remove “Users” from “Group or user names” and add FTP user with appropriate access rights (This way you will ensure FTP user isolation).

FTP 2008

 

Setup FTP IP address:
One of the things that makes your FTP server highly available is also the unique IP address regardless of which cluster node serves the clients. To create a unique IP for FTP server we have to create Client Access Point in a cluster group that owns a shared disk with FTP content. An access point is a name and associated IP address information that we will add as a resource to our cluster group. This IP address will “travel” with the cluster group and storage, making your FTP always accessible.

Create and configure FTP on each cluster node:
Open IIS Manager and follow this few basic steps for creating new FTP site.

Right click on Sites, than Add FTP site.

FTP2008-02-Add-FTP-site

Give your FTP site name and enter physical path – it should point to FTP root folder previously created on shared drive.

FTP2008-03-Site-information

Binding and SSL settings:

FTP2008-04-Binding-and-SSL-settings

Under Authorization you can add multiple users (delimited with semicolon), or you can add them later. Each user will be logged to its own folder if you followed naming convention explained earlier.

FTP2008-06-Authentication

FTP2008-07-User-isolation

 

After creating FTP site on the first node you need to configure FTP on the other cluster nodes. Using Appcmd.exe allows you to create FTP on the other nodes without need to failover a group. You need to failover if want to create FTP from IIS Manager, since it won’t see the shared storage on the other nodes. Of course, for the proper testing you will need to failover group with FTP storage and monitoring script to other node.

To export the FTP site settings (change “TestFTP” to the name of your FTP) run from command prompt:
%windir%\system32\inetsrv\AppCmd.exe LIST SITE “TestFTP” /config /XML > TestFTP.xml

To import the settings on another node:
%windir%\system32\inetsrv\AppCmd.exe ADD SITE /IN < TestFTP.xml

Most of the things can be scripted, but if you have two node failover cluster creating some things manually is faster (application pool, SSL certificates, bindings etc.). Please check that all the settings on the other cluster nodes match the active node. This can be done from IIS Manager once the FTP is created.

Make FTP server highly available:
The last step to configure highly available FTP site is to set up the generic script resource that will be used to monitor the FTP service. Copy the following script to Windows\System32\inetsrv\Clusftp7.vbs and add it as generic resource script in Failover Cluster Management.

'This script provides high availability for IIS FTP websites
'The script is applicable to:
' - Windows Server 2008: Microsoft FTP Service 7.5 for IIS 7.0 (available for download from microsoft.com)
' - Windows Server 2008 R2: FTP Service in the box
'More thorough and application-specific health monitoring logic can be added to the script if needed

Option Explicit
'Helper script functions

'Start the FTP service on this node
Function StartFTPSVC()

 Dim objWmiProvider
 Dim objService
 Dim strServiceState
 Dim response

 'Check to see if the service is running
 set objWmiProvider = GetObject("winmgmts:/root/cimv2")
 set objService = objWmiProvider.get("win32_service='ftpsvc'")
 strServiceState = objService.state

 If ucase(strServiceState) = "RUNNING" Then
 StartFTPSVC = True
 Else
 'If the service is not running, try to start it
 response = objService.StartService()

 'response = 0 or 10 indicates that the request to start was accepted
 If ( response <> 0 ) and ( response <> 10 ) Then
 StartFTPSVC = False
 Else
 StartFTPSVC = True
 End If
 End If
 
End Function

'Cluster resource entry points. More details here:
'http://msdn.microsoft.com/en-us/library/aa372846(VS.85).aspx

'Cluster resource Online entry point
'Make sure the FTP service is started
Function Online( )

 Dim bOnline
 'Make sure FTP service is started
 bOnline = StartFTPSVC()

 If bOnline <> True Then
 Resource.LogInformation "The resource failed to come online because ftpsvc could not be started."
 Online = False
 Exit Function
 End If

 Online = true 

End Function

 
'Cluster resource offline entry point
'On offline, do nothing.
Function Offline( )

 Offline = true

End Function


'Cluster resource LooksAlive entry point
'Check for the state of the FTP service
Function LooksAlive( )

 Dim objWmiProvider
 Dim objService
 Dim strServiceState
 
 set objWmiProvider = GetObject("winmgmts:/root/cimv2")
 set objService = objWmiProvider.get("win32_service='ftpsvc'")
 strServiceState = objService.state

 if ucase(strServiceState) = "RUNNING" Then
 LooksAlive = True
 Else
 LooksAlive = False
 End If

End Function


'Cluster resource IsAlive entry point
'Do the same health checks as LooksAlive
'If a more thorough than what we do in LooksAlive is required, this should be performed here
Function IsAlive() 

 IsAlive = LooksAlive

End Function


'Cluster resource Open entry point
Function Open()

 Open = true

End Function


'Cluster resource Close entry point
Function Close()

 Close = true

End Function


'Cluster resource Terminate entry point
Function Terminate()

 Terminate = true

End Function