HOW TO: Setup IIS Web Server in Windows Server 2012 Using PowerShell

If you're looking to create an unattended installation scenario for an IIS Web Server one approach would be to script your installation using PowerShell. This article describes the installation steps for IIS on Windows Server 2012. With these steps you can assemble a script for the provisioning of your application use case.

Preparation Steps for IIS Web Servers
  • Install Web Server Role and Baseline Windows Features for a Web Server. 
    • This is important as Active Directory is heavily dependent on system time across servers for multiple factors. You may be able to skip this step but it’s always good to be sure, especially if you’re infrastructure is geographically dispersed.
    • See: http://technet.microsoft.com/en-us/library/hh825053.aspx
    • Command: Install-WindowsFeature -name Web-WebServer, Web-Http-Redirect, Web-Log-Libraries, Web-Dyn-Compression, Web-Cert-Auth, Web-Windows-Auth, Web-Scripting-Tools, Web-Mgmt-Service -IncludeManagementTools
  • If your web server will use SSL, Add the SSL certificate to the Local Certificate Store
    • This is required for the certificate to be available to IIS for use with an SSL Binding.
    • Both commands assume that the SSL certificate has been copied to the root of the C disk and do not account for how that has been done. If you're running in AWS one approach may be to place your certificate in an S3 bucket and download it using the Read-S3Object cmdlet.
    • Command:
      • If you have a certificate without private key.
        • See: http://technet.microsoft.com/en-us/library/hh848630.aspx
        • Import-Certificate -FilePath "C:\<<Certificate Name>>" -CertStoreLocation "cert:\LocalMachine\My"
      • If you have a pfx.
        • See: http://technet.microsoft.com/en-us/library/hh848625.aspx
        • Import-PfxCertificate -FilePath "C:\<<Certificate Name>>" -CertStoreLocation "cert:\LocalMachine\My" -Password "<<Your PFX Password>>"
  • If your web server is part of a domain and you plan to use Group Managed Service Accounts (gMSA), Install AD Powershell cmdlet’s
    • This step is required so that your server can provision aaplication service accounts for itself. 
    • Command: Install-WindowsFeature RSAT-AD-PowerShell
  • Create a directory for your application
    • This creates a directory in the inetpub folder for your application
    • Command: New-Item -ItemType directory -Path “C:\inetpub\<<Path>>”
  • Create a service account for your application
    • This step creates a service account for your application pool identity.
    • If part of a domain and using gMSA for your application identity.
      • This step requires that your server be a member of a group that represents servers which should have access to the gMSA you'll create. You can create a group if one doesn't exist using command 1 and then you'll need to add your computer to that group using command 2.
        • Command 1: if ((Get-ADGroup "<<Group Name>>") -eq $null) { New-ADGroup -Name "<<Friendly Name>>" -SamAccountName "<<Group Name>>" -GroupCategory Security -GroupScope Global -DisplayName "<<Friendly Name>>" -Path "<<DN of Location For Group>>" -Description "<<Description>>"  }
        • Command 2: Add-ADGroupMember (Get-ADGroup <<Group Name>>) –Member (Get-ADComputer $env:computername)
      • See: http://technet.microsoft.com/en-us/library/ee617211.aspx
      • Command: New-ADServiceAccount -Name "<<Friendly Name>>" -DNSHostName "<<FQDN of Account>>" -SamAccountName "<<Account Name>>" -PrincipalsAllowedToRetrieveManagedPassword <<Group Name>>
    • If part of a domain and using a standard user for your application identity.
      • See: http://technet.microsoft.com/en-us/library/ee617253.aspx
      • Command: New-ADUser "<<Account Name>>" -Type iNetOrgPerson -Path "<<DN of Location For User>>"
    • If not part of a domain
      • Sorry, you'll have to look into the steps for this use case.
  • Create Application Pool for Your App
    • This creates a new IIS application pool for your application.
    • The first command creates the app pool. The second command sets the app pool identity. If you're using a gMSA besure that your Username ends with the $.
    • Command 1: New-WebAppPool <<Pool Name>>
    • Command 2: import-module webadministration Set-ItemProperty -Path IIS:\AppPools\<<Application Name>> -Name processmodel.identityType -Value 3Set-ItemProperty -Path IIS:\AppPools\<<Application Name>> -Name processmodel.userName -Value <<Username>>
  • Create IIS Website
    • This creates a new IIS website for your application.
    • Note that you'll generall want to use port 80 unless you plan to use SSL in which case you'll generally want to use port 443.
    • If you're using SSL
      • Command: New-WebSite -Name <<Application Name>> -Port <<Port Number>> -PhysicalPath "C:\inetpub\<<Path>>" -SSL
    • If you're not using SSL
      • Command: New-WebSite -Name <<Application Name>> -Port <<Port Number>> -PhysicalPath "C:\inetpub\<<Path>>"
  • If you want to use SSL, Configure SSL Binding with Certificate
    • This associates your SSL certificate with the website binding that was created when your application was created.
    • Command: Get-ChildItem cert:\LocalMachine\My | where { $_.Subject -like "<<YOUR STRING HERE*>>" } | select -First 1 | New-Item IIS:\SslBindings\0.0.0.0!443
  • From here the steps would vary based on your application. You may need to install additional frameworks, software or windows features to support application functionality.
Labels: , ,