Windows Azure Pack – Website clouds

Website clouds is a service provided by Windows Azure Pack to deliver web hosting to your tenants. This service is similar to web hosting provided by Microsoft Azure. Websites can use ASP.NET or PHP technologies and the website databases can be stored on SQL Server or MySQL. Thanks to Windows Azure Pack, several service levels can be delivered. Websites are created and managed from the Tenant self-portal.


Website clouds service is based on 6 roles:

  • Management servers are used by Windows Azure Pack to connect to the Website clouds infrastructure across a REST endpoint;
  • Web Controllers manage and provision other website’s roles. Provisioning is based on WebDeploy;
  • Front-End Servers handle web requests to route them to Web Workers. Responses are sent to clients across the front-end servers. This role is also responsible of Load Balancing and SSL termination;
  • Web Workers are web servers that host websites. By default two Web Workers are needed: one shared and one reserved. This enables to provide several service levels;
  • File Servers store website contents for every website hosted by Web Workers. File Servers can be a standalone file server, a file server cluster or a NAS;
  • Publisher servers enable to publish content to File Servers across FTP, WebMatrix or Visual Studio.

Moreover, three databases are needed (only one is represented in the above schema):

  • Service Management API database stores configuration data of the Windows Azure Pack.
  • Web Sites Runtime database is needed by Website clouds for operation. This database is represented in the above schema by
  • Application databases are optional. This is tenant databases that are used by websites (for example WordPress need a database).

In this article, I will build the above architecture and connect it to the Windows Azure Pack.


Common requirements

First of all, you need a functional Windows Azure Pack (WAP). If you have not yet installed WAP, you can read this topic. Next a database is needed for the Web Sites Runtime database. AlwaysOn is supported and you can follow this topic to prepare your database. When you install the database, be sure that mixed mode authentication is enabled.

Create servers

You need at least 7 servers to build the minimal Website clouds infrastructure. Windows Server 2012 is supported even if Windows Server 2012R2 is recommended. The following inbound accesses have to be granted:

  • File and printer sharing (SMB-In)
  • Windows Management Instrumentation (WMI-In)

I recommend you to apply this firewall rules by GPO. Next you have to disable User Account Control on each server role for remote connections by running below command:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Once the command is executed, restart your server.

To finish I have had an issue when I added a server role because KB2918614. This issue was error 997 in system logs that said Overlapped I/O Operation is in progress. If you have this error, remove the KB2918614.

DNS requirements

You have to prepare your DNS regarding below information:

  • A DNS suffix for websites is required. On my side every website will be created with the suffix;
  • Two Alias are required for publisher server. On my side, I will use and

To prepare the DNS zone for websites suffix, open dnsmgmt.msc and add a primary zone. On my side I have added a zone called Next add a CNAME entry in as below. Be sure that Alias name field is “*”. The target should be the front-end server.

Thanks to this configuration, all websites created will be routed to the Front-End Servers. Let’s try this configuration with nslookup:

I can specify any sub domain, the target will be always my front-end server. Next, don’t forget to add CNAME for ftp and publish where the target is the publishing server:


Several groups and accounts are needed for the Website clouds infrastructure. First create three global security groups:

  • GG-FileShareOwners
  • GG-FileShareUsers
  • GG-CertStoreFSUsers

Create Also five accounts:

  • sa-wap-fso
  • sa-wap-fsu
  • sa-wap-csu
  • sa-wap-web01
  • sa-wap-web02

NB: Password must be configured with these options:

  • Enable Password Never expires
  • Enable User cannot change password
  • Disable User must change password at next logon

Next configure group’s membership as below:

  • sa-wap-fso is member of GG-FileShareOwners
  • sa-wap-fsu is member of GG-FileShareUsers
  • sa-wap-csu is member of GG-CertStoreFSUsers

Below you have the PowerShell script to create and configure groups and accounts described above:

# Specify a password for your accounts
$Password = Read-Host –AsSecureString
# Groups creation
New-ADGroup -Name "GG-FileShareOwners" -GroupScope "Global" -GroupCategory "Security" -Path "OU=Groups,OU=Account,DC=Home,DC=Net"
New-ADGroup -Name "GG-FileShareUsers" -GroupScope "Global" -GroupCategory "Security" -Path "OU=Groups,OU=Account,DC=Home,DC=Net"
New-ADGroup -Name "GG-CertStoreFSUsers" -GroupScope "Global" -GroupCategory "Security" -Path "OU=Groups,OU=Account,DC=Home,DC=Net"
# Users creation
New-ADuser -Name "sa-wap-fso" -description "File Share owner" -CannotChangePassword $True -ChangePasswordAtLogon $False -Enabled $True -PasswordNeverExpires $True -AccountPassword $Password -Path "OU=Service Accounts,OU=Account,DC=Home,DC=Net"
New-ADuser -Name "sa-wap-fsu" -description "File Share user" -CannotChangePassword $True -ChangePasswordAtLogon $False -Enabled $True -PasswordNeverExpires $True -AccountPassword $Password -Path "OU=Service Accounts,OU=Account,DC=Home,DC=Net"
New-ADuser -Name "sa-wap-csu" -description "Central cert store user" -CannotChangePassword $True -ChangePasswordAtLogon $False -Enabled $True -PasswordNeverExpires $True -AccountPassword $Password -Path "OU=Service Accounts,OU=Account,DC=Home,DC=Net"
# Groups membership configuration
Add-ADGroupMember -Identity "GG-FileShareOwners" -Members "sa-wap-fso"
Add-ADGroupMember -Identity "GG-FileShareUsers" -Members "sa-wap-fsu"
Add-ADGroupMember -Identity "GG-CertStoreFSUsers" -Members "sa-wap-csu"

To finish add sa-wap-web02 to local administrators group of Web Workers servers and sa-wap-web01 account to local administrators group of Front-End Servers, Publisher Servers, File Servers and Management servers.

File servers

Before starting installation, File Servers have to be prepared. You can use a standalone file server, a cluster file server or a NAS. Because FSRM is used and is not supported by Scale-out file servers, you should use File Server for general use. For more information about preparation of a Cluster of File servers or NAS, you can read this topic.

For my example, I use a standalone File Server. I have prepared my File Server with the below script:

net share %WEBSITES_SHARE% /delete
net share %WEBSITES_SHARE%=%WEBSITES_FOLDER% /grant:Everyone,full
net share %CERTIFICATES_SHARE% /delete
net share %CERTIFICATES_SHARE%=%CERTIFICATES_FOLDER% /grant:Everyone,full
net localgroup Administrators %DOMAIN%\GG-FileShareOwners /add
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\GG-FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\GG-FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)
icacls %CERTIFICATES_FOLDER% /grant %DOMAIN%\GG-FileShareOwners:(OI)(CI)(F)
icacls %CERTIFICATES_FOLDER% /inheritance:r
icacls %CERTIFICATES_FOLDER% /grant %DOMAIN%\GG-CertStoreFSUsers:(OI)(CI)(RX)

Prepare certificates

Two certificates are needed:

  • One used by the publishing role
  • One for websites using default domain.

I enroll certificates from my PKI running on ADCS. I have duplicated the web server default template. The private key must be exported so if you use a template, don’t forget to check the box J. For more information about certificate template, you can read this topic.

So I open an mmc on a server. Add the certificate snap in connected to the local computer. Right click on te certificates and request new certificate.

I select WAP_WebSites which is my certificate template. I click on the warning message:

Add a subject name :

  • Type : Common Name
  • Value : <your server name>

Add two alternative subject name :

  • Type: DNS
  • Value:

Click on apply and next on enroll.

Request a new certificate again with the same template. The subject name should be a common name with value *.<Default Websites Suffix>. Click on apply and to finish on enroll.

Next export the certificates as below:

Don’t forget to export the private key:

At the end, you should have your two certificates:

Web controller installation

Now that preparation is done, we can start the installation. The first component to install is the Web Controller. Connect to the server that will host this role. On my side the server is VMWAP11-WCT01. Download the Web Platform Installer and launch it with run as administrator (it is very important because if WPI is not launch with run as administrator, the installation fails).

Add Windows Azure Pack: Websites v2 component and click on install.

Once the installation is finished, Internet Explorer is open on the configuration. First, specify database information and the DNS suffix for websites.

Next specify the management server name and admin password for each role. These accounts should be the same that you have created in preparation part. Don’t forget that these accounts have to be a local administrator of the related servers.

Then specify a username and a password for the REST API. This account will be used when we will make the connection from the Windows Azure Pack to the Management server.

Next configure the file server. Because I have prepared my file server, I select Use a pre-configured Windows File Server. Use shares and credentials that you have created following the preparation part.

Configure the CEIP and Microsoft Update as you want and click on next.

Click on the tick to run the configuration of the listed features.

NB1: If the installation retry lot of time on Management Server, open system log on this server. If you have Overlapped I/O Operation is in progress error, try to remove KB2918614.

NB2: If you have issues and you want to reinstall Website clouds on the same database, remove hosting and ResourceMetering databases from SQL instance and all related accounts. If you do not, you will have an error in Web Sites service configuration.

Connect Windows Azure Pack to Management server

Open the WAP admin self-portal and select Web Site Clouds. Click on Connect To.

Specify a display name, the management server URL and the credentials that you have set during configuration.

If the management server is running properly, you should have a new website clouds as belowJ.

Add Front-End, Web Workers and Publisher

To continue configuration, click on your website cloud. One role page, you should have three ready servers:

  • The management server
  • The Web controller
  • The File server

To add others roles, click on add role. First click on Add new web worker.

Enter the hostname of the first Web Worker server.

Add again a new web worker server. I set this web worker type to reserved.

Click again on new role and select add new frontend.

To finish add a new publisher server.

And it’s finish. All server roles are deployed J

Configure website clouds

To setup your website cloud, click on configure as below. First click on the browse icon of Web Sites Default Certificate:

Select the certificate that you have prepared previously and enter the password.

Scroll down to the publishing settings, and configure DNS parameters related to the DNS server configuration that you have made previously. Next click on the browse icon of Publisher certificate.

Select the certificate for publishing usage that you have prepared previously and enter the password.


If you need to change credentials that you have set while web controller configuration, you can navigate to credentials:

Add web site clouds to a hosting plan

Now that the website cloud is ready, we can add it to a hosting plan. If you have not yet a hosting plan, you can follow this topic to create it. So navigate to your hosting plan and click on Add service.

Select the service that you want to add:

Now the website cloud service should be included in the plan.

In the website cloud configuration, you can configure your service level.

Create a website

To create the website, connect to the tenant self-portal with a user that has subscribed to the hosting plan. Click on new Website. I can create a database when I create a website because I have the SQL Server database service included in my subscription.

It is ok, my tenants can create their own websites J

To test the website, I’m connecting to If it’s working properly you should have something similar as below screenshot.

Manage the website

From the Self-Portal you can manage your website. A dashboard is provided to view performance.

You can also configure many settings as .NET version, PHP version etc.

On the scale screen, you can choose the service level.

And to finish, I try to publish a WordPress to the website. For that I have used Filezilla and I’m connected to

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).


  1. Hi Roman,
    Thanks for the post. i followed every single step of the installation for windows azure website clouds. However for some reason, the installation fails due to Web Farm Controller Service failing to start. I have tried very hard to resolve the issue but no luck. Any help please?

    • Hello,

      Does the Websites feature installation was successful?

      Could you send me some logs to my E-mail address? You can find it in Contact page. I need Webfarm logs, application and system logs.

      Thank you 🙂

  2. Hi Romain,

    I did a couple of fresh reinstalls because I cannot get this thing to work for some reason.
    The current version is azurepack websites rollup 11. The installer looks slightly different than in your guide.
    After installing everything and finishing the setup, the Management server keeps failing on installing the components because for some reason it switches off the IIS service. When I manually start IIS, the installation completes and an auto reboot is initiated. After the server comes back up, the w3wp process for HostingManagementService is taking 100% CPU and after a while, the webfarm.exe crashes. It keeps doing this in an infinite loop.

    Like I said I reinstalled my entire lab multiple times but everytime it fails with the same symptoms so this must be a bug.

    Do you have any idea or can you look into the deployment as how it is today? (rollup 11)


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Check Also

Windows Azure Pack – Authenticate tenants with AD FS

By default, Windows Azure Pack provides an Authentication site for tenants. This authentication site can ...

Windows Azure Pack – Website gallery issue

I had an issue with the WebSite Gallery in my Windows Azure Pack installation. When ...

Windows Azure Pack – PowerShell tenant API

Thanks to the Public Tenant API hosted on public services tier, the tenants can use ...