Central admin not created on second App server

Topics: General Questions, Support
Nov 22, 2013 at 9:23 AM
Edited Nov 22, 2013 at 9:24 AM
Hi,
I need some quick help here. I´m a bout to deploy a farm with two wfe´s and two app servers. I want the Central Admin to be hosted on the App servers with SSL. When I run the installer, the Central Admin is only created on Appserver1 and not on Appserver2. The certificate is also only created on Appserver1.
The input file regarding the Central admin looks like this:

<CentralAdmin Provision="Appserver1,Appserver2">
<Database>AdminContent</Database>
        <Port>2010</Port>
        <UseSSL>true</UseSSL>
Please help, i have a timeline here :(

Thank you.
Nov 22, 2013 at 12:10 PM
If you cannot do using AutoSPInstaller, just configure it manually. From Appserver1, enable the Central admin service instance from "Services on Server" on Appserver2 and that creates the Central Admin IIS Site on Appserver2 then manually configure the certificate in IIS on that Server. You may need to tweak the AAM's.
Nov 22, 2013 at 12:39 PM
Thank you for answering so quickly!
The Central Admin IIS site has been created by the autospinstaller on appserver2, but without https, certificates or bindings and the Service is started. I will try to stopp the service on appserver2 and start it again to reprovision the Central Admin on Appserver2.
Nov 22, 2013 at 8:52 PM
Didn´t work :(
I get redirected to Appserver1 when i try to access the CA on Appserver2.
Nov 22, 2013 at 9:30 PM
Edited Nov 22, 2013 at 9:31 PM
try https://appserver2:2010/default.aspx

If that works, and it will likely will, then you need to show us what you have for Alternate Access Mapping for Central admin web app.
Nov 23, 2013 at 12:15 PM
Thank you for helping me out!
It worked with http://appserver2:2010/default.aspx, however note that I have to use http. The AAM shows http on Appserver2 and https on Appserver1.
The issue here is that it´s only creating the https on the first server, not the second one. It should create a certificate on both servers and use https as binding if I use the below, right?

<CentralAdmin Provision="Appserver1,Appserver2">
<Database>AdminContent</Database>
<Port>2010</Port>
<UseSSL>true</UseSSL>

Or should I use a space between the servers instead?

<CentralAdmin Provision="Appserver1 Appserver2">
<Database>AdminContent</Database>
<Port>2010</Port>
<UseSSL>true</UseSSL>
Nov 23, 2013 at 1:34 PM
I personally never implement Central administration to be SSL-enabled, so I do not how it behaves in terms of Cert creation. A space between the servers is definitely OK. I will need to look at the code to know if a comma is a supported separator though.

You could manually change the alternate access maps and manually do the certificate binding in IIS to fix this.

My general recommendation is to implement CA in http in both servers and manually extend it to another IIS/site to be SSL-enabled rather than have the default zone being on SSL. AutoSPInstaller as-is will not help there.

I have seen things break if Central Admin is on SSL on default zone.
Nov 23, 2013 at 1:49 PM
One more thing, I´m running the Autospinstaller from Appserver01 with remote install on Appserver02.
Nov 23, 2013 at 1:52 PM
Another feature that I never used is remote install. So cannot help much there. Effectively after the first server build, the second server onwards takes less than 15 minutes. No value for me unless I am probably doing a 20-server farm installation or more.
Coordinator
Nov 23, 2013 at 6:23 PM
I must admit I almost never provision Central Admin on more than one server - I usually designate a single 'Admin' server to run CA, User Profile Sync, Usage Analysis and other services that either can't or don't need to be highly-available (Central Admin can be re-provisioned on any other server in the farm with a single line of PowerShell). So I haven't done as much testing on multi-server Central Admin as I should and you may indeed be facing a bug in the script.

Joseph is correct - enabling SSL on the Default zone for CA can be problematic - if you were to re-run the Config Wizard (PSConfig or PSConfigUI), especially after an upgrade, the HTTPS binding in IIS doesn't get re-set properly, making Central Admin inaccessible until you manually re-add the IIS binding.

I also question the value of SSL on Central Admin, unless you plan to routinely access it from another computer (I usually RDP to the CA server, so no traffic goes across the wire when I access CA).

Brian
Nov 23, 2013 at 7:22 PM
Edited Nov 23, 2013 at 7:25 PM
Hi,
Thanks for your reply!
Running CA on SSL was a suggestion from Microsoft in a readiness check I did with a customer a time ago, so that´s why I keep using it in my installations.
What I´ve done now to fix this is creating a self-signed cert on the Appserver2, added that to a new binding and assigned the cert, then change the AAM from http://Appserver2:2010 to https://Appserver2:2010.
I hope this will be ok...
Can you please verify that using the <CentralAdmin Provision="Appserver1 Appserver2"> (with a space) will successfully provision CA on the servers with a remote install from Appserver1 to Appserver2?
Nov 23, 2013 at 8:21 PM
I am aware of that specific "Microsoft recommendation". Still the way to implement is to extend CA into a different zone (say Intranet) and enable SSL for the extension and advise the administrator to use the SSL-enabled URL.

I would not recommend that you implement SSL in the default zone. That if you do not want to have much unpredictability operating this farm in the near-, medium- and long-term
Nov 23, 2013 at 9:42 PM
You are right. I might reconcider this...as the PSCONFIG restores the bindings etc. I believe i will just ignore the ssl approach.