Keep it simple
Now, onto the reason for today's post.
Office Web Apps' most important feature is that no one ever knows what to call it.
- WAC: I have no idea what the 'C' stands for, but this is the most common truncation. Even the main service name contains this acronym. I'm sure someone will tell me eventually, but I haven't cared enough to look it up.
- OWA: This makes the most sense but it then gets confused with Outlook Web App, the online email access point for Exchange Server.
- OWAS: Obvious... which begs the questions, why not just call it WAS?
- WAS: This is what I'll be calling it from now on after writing that last sentence.
It's also very finicky. I like to think of it as that hungover guy at work who thinks he's fooling everyone but every noise is too loud and it takes a few seconds too long to answer questions. We know, Jerry. You're not fooling anybody.
When you get past those first two features, it starts to get a little boring. It processes Office files in a live environment over the network and internet for things like Lync, Exchange, and SharePoint. Like I said, boring. I mean, who even uses PowerPoint presentations in a Lync meeting anymore, right?
Oh, that's right: Everyone. Office Web Apps Server gets a lot of flack for it's lack of a user interface, tools, intuitive design, and sufficient error reporting, and rightly so. However, the value of a [working] WAC farm/server is very high in environments that have a reason for it.
Due to insufficient exercise and a poor diet, WAC servers frequently wind up in the "Unhealthy" state
This is going to be a skin-deep, quick-and-dirty tutorial on how to fix your WAC 2013 server. I didn't want to dive into lengthy explanations for this one. We're going to fix this SOB and get you on your way. I will throw some of the error messages I was encountering at the end of the post, which hopefully explains why you found this page to begin with.
A couple considerations:
- This is for Office Web Apps Server 2013 only, which was installed on Windows Server 2012 R2 Datacenter Edition in this example
- This tutorial does not account for load balancing or SSL offloading
- This is for a single-server WAC farm, so you will need to add additional servers on your own (with the -MachineToJoin parameter for New-OfficeWebAppsMachine on the server not yet in the farm) -- keep in mind that there are additional considerations beyond this
- I used a public CA* for this example, but a private CA will work just fine if people are not connecting in from outside the network. If that's the case, save yourself some trouble and specify an HTTP address for -InternalURL, don't specify -ExternalURL at all, and definitely use the -AllowHTTP parameter for New-OfficeWebAppsFarm
Okay, here we go:
- Remove the Office Web Apps farm entirely with Remove-OfficeWebAppsFarm. Don't worry--it's not as bad as it sounds. It's just clearing the settings.
- Even if you think you've installed all prerequisites, let's verify. Trust me... you want to do this, and I'll explain why after the steps. Insert the Windows Server 2012 R2 media**. Check which drive letter was assigned to the DVD. In the example below, it is 'D' so be sure to change it, if necessary. Run this command:
- Microsoft Powershell, v4.0, code:
Install-WindowsFeature Storage-Services,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Http-Logging,Web-Stat-Compression,Web-Dyn-Compression,Web-Filtering,Web-Windows-Auth,Web-Net-Ext,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Mgmt-Console,NET-Framework-Core,NET-HTTP-Activation,NET-Framework-45-Core,NET-Framework-45-ASPNET,NET-WCF-HTTP-Activation45,NET-WCF-TCP-PortSharing45,InkAndHandwritingServices,FS-SMB1,Server-Gui-Mgmt-Infra,Server-Gui-Shell,PowerShell,PowerShell-V2,PowerShell-ISE,WAS-Process-Model,WAS-NET-Environment,WAS-Config-APIs,WoW64-Support -Source D:\sources\sxs -Verbose
- That's what I like to call overkill. I gathered this from the lowest-level feature name of Get-WindowsFeature | where InstallState -eq Installed
- Restart the computer (Restart-Computer) if there were any changes.
- Request a new certificate and delete the old one(s). This is a super straight-forward certificate. In the "Other Error Messages" section below, I talk a little bit more about this process.
- The subject name (CN) should be the name of your server, server.domain.com.
- The Subject Alternative Names (SANs) are not important in a single-server scenario, so just specify server.domain.com again and leave it at that***. You can also omit it altogether.
- For Key Usage, do at least Digital Signature and Key Encipherment, but you can also add Key Agreement (a8). I honestly don't think that matters.
- Key size should be 2048 bits. Enhanced Key Usage just needs to be Server Authentication.
- Friendly Name must be specified. This can be changed after accepting the new certificate by right-clicking on it in the store and clicking "Properties...".
- No need to set the private key as exportable with only one server. If you add another server, you'll need a new certificate. With multiple servers, the private key must be exportable.
- Import/accept the new certificate. Verify that it appears in your "Personal" store for the Local Computer in the Certificates Snap-In for MMC.exe.
- Install, or try to install if you already have, the following updates in no particular order:
- Microsoft Office Web Apps Server 2013 Service Pack 1:
https://support.microsoft.com/kb/2880558
(If you downloaded SP1 from another site, make SURE that you are downloading #2880558. There was a previous version of SP1 that they had to deactivate because it caused serious issues. More info on that here.) - Language Packs for Microsoft Office Web Apps Server:
https://www.microsoft.com/en-us/download/details.aspx?id=35490 - If you're reading is from the distant future, you can also check out http://blogs.technet.com/b/office_sustained_engineering/ to see if any new updates have been released. Also, I have a message from the past: "Hi."
- If you did end up installing ANY updates, reboot the computer again.
- Open Powershell. Import the Office Web Apps Powershell module. It's easiest to modify your profile (which you can find by typing $profile, although you may have to create the folder and file) so that this loads at start-up on the WAC server. Either way, this is what will get it loaded: import-module "C:\Program Files\Microsoft Office Web Apps\AdminModule\OfficeWebApps\OfficeWebApps.psd1"
- Run a Get-OfficeWebAppsFarm just to make sure that it errors out and the farm doesn't already exist. Then, run New-OfficeWebAppsFarm -InternalURL <server.domain.com> -ExternalURL <server.domain.com> -CertificateName <the certificate's friendly name> -AllowHTTP -AllowCEIP
(-AllowCEIP turns on the Customer Experience Improvement Program. Be a sport and turn it on unless your company prohibits this.) - What's next?? You guessed it. Reboot.
- Now, it may start working at this point, but don't get your hopes too high. Run Get-OfficeWebAppsMachine to check the status of the machine. We're hoping for "Healthy" in the far-right column.
However, that did not happen for me. I took that screenshot much later. It kind of entered a state where it was flashing all kinds of stuff in the Event Viewer for a while and then finally went solid Healthy. At one point, it was going back and forth every time I ran it. The reason this happens is because it has all the "Watchdog" services trying to catch up and this sometimes takes a while. If one of those is running behind, it marks the whole dang server as Unhealthy.
If you see stuff like this and pretty much only stuff like this in Event Viewer, you should probably just wait a bit.
 |
| Text: <?xml version="1.0" encoding="utf-16"?><HealthReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <HealthMessage>AgentManagerWatchdog reported status for ProofingWatchdog in category 'Recent Watchdog Reports'. Reported status: ProofingWatchdog has NOT reported recently.</HealthMessage></HealthReport> |
Do another restart if you're stuck on something. If WAC is like the drunk of the Microsoft server world, a reboot is its bath and black coffee.
Why install what I already installed?
In step 2, I have you try to install a whole bunch of Windows features even though you've clearly already met the requirements to install Office Web Apps. The reason for this is that a lot of guides omit extremely important features which don't prevent you from installing the software, but lead to a broken server. You know who else gets it wrong? TechNet. Yep. They don't have all the required features listed in their own guide.Other Error Messages
The HTTP request to 'http://owa01:809/ecs/ExcelService.asmx' has exceeded the allotted timeout of 00:00:14.2650000. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out
I'm not sure if rebuilding the farm caused this one to go away or not. If you pull up that ASMX file, it provides information on how to test the service--which I didn't do. In my case, it may have gone away with time or with creating the new farm.
<Service Watchdog name> reported status for <service name> in category '4'. Reported status: Contacting <ASMX filename>.asmx failed with an exception: Could not establish trust relationship for the SSL/TLS secure channel with authority '<server.domain.com>'.
This means, quite simply, your certificate is screwed up. Check your settings again. Refer to step 5 above if you're getting this before or after rebuilding the farm. Try not to make the cert too complicated.
If you're requesting the cert out of the MMC snap-in, for a single-server farm, you only need to change the Subject Name type to Common Name, enter server.domain.com for the Value, click "Add >", and give it a friendly name in the General tab, All the other defaults should do just fine.
For a multi-server farm in the MMC snap-in, do the above but add a couple things. First, for each server that you have, create DNS entries with the same name but the IP address will be that of the WAC servers. For example: 2 servers, WAC1 and WAC2, are being added to a farm. I create an A record called wacservers and point it to the IP address of WAC1, then another A record also called wacservers and point it to the IP address of WAC2. In the cert request, configure the subject names and alternatives names like this:
Lastly, in the Private Key tab under "Key options," place a checkmark next to "Make private key exportable." This will allow you to use the same private key on both servers.
If you're requesting the cert out of the MMC snap-in, for a single-server farm, you only need to change the Subject Name type to Common Name, enter server.domain.com for the Value, click "Add >", and give it a friendly name in the General tab, All the other defaults should do just fine.
For a multi-server farm in the MMC snap-in, do the above but add a couple things. First, for each server that you have, create DNS entries with the same name but the IP address will be that of the WAC servers. For example: 2 servers, WAC1 and WAC2, are being added to a farm. I create an A record called wacservers and point it to the IP address of WAC1, then another A record also called wacservers and point it to the IP address of WAC2. In the cert request, configure the subject names and alternatives names like this:
Lastly, in the Private Key tab under "Key options," place a checkmark next to "Make private key exportable." This will allow you to use the same private key on both servers.
A Special Note on Windows Updates
Don't let them install automatically. You've seen how fidgety this software is, and an unwanted update can cause you to land right back in the vicious cycle of trying random crap and continuing to see "Unhealthy" over and over and over again. Oh my god, that drove me insane.
You shouldn't install anything that will affect things like IIS, Office, generic or non-specific Microsoft software updates, language packs, etc. If it's working, stick to the needed security updates and Google WAC-related updates (by their knowledge base number, like "KB1234567") before installing.
Footnotes
* If you haven't heard of StartSSL, you should check them out. They offer completely free single-domain certificates, which can help out a lot in a lab. I've been using them for a while now and have yet to find "the catch." https://www.startssl.com/
** In Hyper-V: Right-click the virtual machine, "Settings...", "DVD Drive", "Image File", "Browse...", then find the ISO file. I added this because no one ever freaking says it!
*** Briefly, because it's covered in a later section, for multi-server, you need a SAN for each entry and the DNS round robin address, if used. DNS round robin: multiple A records with the same name, but pointing to different IP addresses. So typing recordname.domain.com will result in one of those servers responding. Each time you ping or otherwise contact that server at the record name, it randomly chooses which address should respond. It is a very sloppy way to handle load-balancing, but it can be useful in a lab environment.
No comments:
Post a Comment