Hi Peter,

I first want to thank you for helping out with other issues.

I now have some questions about setting up searching in my enterprise environment:

• Web Server (Machine A) : Win 2003 SP1, DNN 4.8.2, DMX 4, Lucene provider
• DB Server (Machin B) : Win 2003 SP1, SQL Server 2005 Ent.
• File Server (Machine C): Win 2003 SP1, DMX Repository is here.

My questions:

1. I downloaded all required iFilters for MS Office and Adobe, but I'm not sure on which machine(s) to install them.
2. If I use Lucene, do I still need to set up Indexing Services on any machine(s)?
3. In order to use the File Server, I have to create a mapped drive on the Web Server. What User/UserGroup, and what security permissions do you recommend to give on the mapped drive?

I also have another question which applies to this environment, but concerning WebDAV. I followed the install manual (WebDAV.doc) closely, and I got stuck at the part where adding a Network Places link on a client machine. The document says to use www.MachineA.com/dmxdav.axd/MyRepository/SubFolder. My problem is that I need to point my link to Machine C which is not running the site. Is it still possible to set up WebDAV in this architecture to take advantage of Office and Win Explorer integration?

Thanks again for all your help!

Rad,

1. It depends on the search engine you'll be using. For Lucene they go on the web server, for IS they go on the file server.
2. No.
3. This is the tricky part. Both machines have to be in a DOMAIN as the file server must give access to the worker process from the web server. So on machine A you need to set an identity to the worker process that is managed by the domain controller (i.e. not the machine's own NETWORK SERVICE account). Then the worker process will work under that identity. Now make sure the file server gives full access to the share to this account.

Peter

Concerning the WebDAV: it's the web server (machine A) that is the front-end of everything. The fact you're using a 3 tier setup has no bearing on this. DMX uses its own webdav server (in contrast to competing products) so it can manage this itself.

Peter

Hi Peter,

For IS as the search engine, I believe the IFilters go on the SQL Server, since that is where IS must run as a linked server.

Also, Rad while, in my opion, you should run the App Pool for the site under a low level Domain account, you would probably be better off using an UNC path rather than a mapped drive for all of this to work well.

Rob Ralston

Thanks Rob. @Rad: Rob is a very experienced user of DNN/DMX, so I'd take his word for it.
Peter

Hello gentlemen,

thank you both for your help.

@Rob:

~#1: I was also under the inpression that iFilters were installed on the SQL machine when using IS. However, I'll be using Lucene unless you tell me it won't work in my environment.

My first attempt at the setup was to use UNC to the desired folder. I get the following message:

"The path cannot be accessed. Please check that the worker process has full access to the path."

In my original post, this was the reason I say "I have to create a mapped drive...".

I'm not a network guy so all this "low level domain" talk somewhat escapes me. I hate making assumptions, so I really would appreciate if someone could explain this point, or refer me to a good source.

Thanks again

Rad,

On the host settings page, what does it say next to "ASP.NET Identity: " at the top? Mine, for instance, says "NT AUTHORITY\NETWORK SERVICE "

Peter

Hi Rad,

The network and Domain stuff can get a bit sticky. However, to best help you out, please answer Peter's question about the ASP.Net identity, and 2 lines below that is an item called Permissions. If the data to the right is empty, then you are running in Medium Trust (or lower). Medium Trust is a good thing, but has it's own challenges.

If you are in Medium Trust, Lucene will not work and folder access outside of the portal folder hierarchy is restricted unless specific configuration steps are taken.

So, please answer the above questions and we can go from there.

Hello,

Here are the host settings you requested :

ASP.NET Identity:	NT AUTHORITY\NETWORK SERVICE
Permissions:	ReflectionPermission, WebPermission

I also checked my web.config file. The tag is commeted out.

I really appreciate the help. What's next?

Thanks again

Hi Rad,
The 'NT AUTHORITY\NETWORK SERVICE' account is local to this server. The other server has an account under the same name in all likelyness, but it is not the same. You need to run under an account that is managed by your domain server.
Peter

Hi Rad,

 

Based on the permissions, you are running in Full Trust mode, which is the default and allows easier configuration. The Network Service account was introduced with Windows Server 2003 and does have credentials for network access to different servers in the same W2K3 Domain. Lucene requires Full Trust to work.

 

Having said that, I need to put on my IT Consultant hat for a moment. Full Trust and the Network Service account work. However, in my opinion, such a setup is only appropriate for an Intranet (non-Internet facing) application. It would be more secure to run the web site in Medium Trust, under a unique application pool identity using a low level domain account. Doing so is not something I could explain in a forum post. Also, Lucene does not work in Medium Trust, and you would have to use IS on the SQL Server. You and your IT department need to evaluate what is best for your business.

 

OK, I feel better now...

 

Here are two reference MSDN articles that may be of use to you:

For Network Service Account: http://msdn.microsoft.com...ibrary/ms998320.aspx

For Creating separate service account: http://msdn.microsoft.com...ibrary/ms998297.aspx

 

For the Network Service Account to be used to access a network share, you must create a share on the target server (you cannot use the default administrative share for a drive), and give both Share permissions and NTFS permissions to the Network Service account. You may want to hide the share from general network browsing by using a $ in the name: e.g., DMXSHARE$

 

For share permissions, remove the default Everyone group, then  give the Network Service account Change permissions so it can read/write, and on the folders themselves give the account at least NTFS modify permissions at the root folder that is shared. (also add whatever administrative share and NTFS permission that are required.)

 

At this point, you should be able to enter the repository location in DMX like this: \\myserver\dmxshare$

 

If things are set correctly, you should be able to add files to DMX folders now. I don't have any real experience with Lucene, but my understanding is it should work in this configuration.

 

Hope this helps.

 

Rob Ralston

SilverBullet Technologies LLC