لطفا منتظر باشید ...
MESSAGE QUEUING SERVICES
Microsoft Message Queuing (formerly MSMQ) gives system administrators the ability to manage a communications infrastructure. Message Queuing is also of great interest to software developers who want to build message-queuing-aware applications. Such applications go by several industry names, including message queuing, message-oriented middleware (MOM), and store-and-forward software. Unlike e-mail, which passes messages between people, message queuing passes messages between applications.A queue is a temporary storage environment that buffers data transmission until an appointed time or until the recipient is available. This allows communication regardless of the state of the receiving computer and even if the system is off line. Message Queuing communications remain in the queue until the receiving application is available to accept it (unless other parameters are set to discharge the message after a specific number of attempts or period of time).NOTEThe developmental aspect of Message Queuing is outside the scope of Windows Server 2003 administration. Administrators or developers interested in developing message-queuing applications should obtain the MSMQ Software Development Kit.NOTECross-platform connectivity to IBM MQSeries versions 2 and 5 is provided with the optional SMQ-MQSeries Bridge available from the Microsoft SNA Server version 4 Service Pack 2 or later. The Bridge was purchased from Level8 Systems and was commercially known as FalconMQ Bridge.
Concepts
Several concepts must be understood prior to installing and deploying Message Queuing. Messages, queues, network topology, and routing are explored in the following sections.
UNDERSTANDING MESSAGES
Message Queuing messages have two primary parts. The body is either binary or text information readable by the receiving application which can be encrypted. It also contains specific properties, including the message ID and those required by the application. The maximum size of a message is 4 megabytes.Normal messages are regular communications between applications delivered from public, private, journal, dead letter, or transactions queues. Report messages are generally sent as tests or for route tracking. Response messages are confirmations from the receiving application and are often invoked by the MQPing function. Finally, acknowledgment messages confirm the receipt or failure of a normal message from the receiving application to the sending computer's administrative queue.Messages are delivered via an express or a recoverable method. Express message delivery takes place in the queues stored in the RAM and is the fastest and most efficient method. However, express messages are lost when Message Queuing service is shut down or, if it is run on a cluster, during a failover. Recoverable messages are written to disk until delivery can be achieved. This method is slower but safer.
UNDERSTANDING QUEUES
The queue is the base structure used by Message Queuing to store and transmit messages. Different queues perform different functions, as follows:
Administration queues are established by the sending application and simply provide acknowledgments from sent messages.
Public queues are available to any computer in an enterprise. Their properties are published by the Active Directory and replicated to domain controllers.
Private queues are used only by Message Queuing applications that have knowledge of the format and path to the queue. They are not known by or published to the Active Directory.
Dead-letter queues hold messages that cannot be delivered or that exceed the time specified for delivery.
Response queues hold response messages sent from the receiving application to the sender.
Report queues simply report the route taken by a message.
System queues combine other queues to conduct system communication and cannot be deleted.
Journal queues copy messages to ensure delivery. Journal messages can be saved to disk on the source or destination computer.
UNDERSTANDING NETWORK TOPOLOGY FOR MESSAGE QUEUING
As the basis for its network topology, Message Queuing uses the Windows Server 2003 site. This site definition is created by the Server's Active Directory, which means that the site topologies for the Active Directory and Message Queuing are identical. (For information about site structure, refer to Chapters 5 and 6.) With specific regard to Message Queuing, it is essential that the intrasite network be permanent and that sufficient bandwidth exist to support the anticipated volume of messages. For intersite messages, multiple Message Queuing servers are commonly configured for redundancy. However, since multiple Message Queuing servers can dramatically increase network traffic, it is recommended that at least one Message Queuing server be installed for each site or subnet.Routing links are used to communicate messages between sites by Message Queuing services when one or more Message Queuing servers is used. To view and modify Message Queuing data on the Active Directory, the Message Queuing must be installed on a domain controller. Message-queuing services are configured to store and forward messages and provide dynamic routing. Message Queuing can be configured to route messages between sites using either IP-based or IPX-based networks, but the respective Message Queuing server must also be configured for that network routing protocol. Moreover, name resolution is required for Message Queuing configured for IPX, which can be provided by a No vell server. Lacking a Novell server, the Service Advertising Protocol (SAP) agent must be installed.CAUTIONTo use IPX with multiple adapters, the computers must be configured with a unique internal network number. This requirement ensures the proper operation of remote procedure calls (RPCs) over IPX. Zero is not an acceptable network number.Independent Message Queuing clients cannot immediately store and forward message queues. Other than this limitation, they can send and receive messages in a manner similar to the Message Queuing server. The client Message Queuing server generates local messages and sends them when a connection to the receiving computer or application is available. If the system is offline, it will store the messages until connectivity is restored.The dependent Message Queuing client is similar to the independent client except that it uses synchronous communications, which makes it dependent on its server to perform the Message Queuing functions.
Understanding Message Routing
If a direct connection cannot be established, Message Queuing uses routing to deliver messages and accept acknowledgments. That is, it hops from computer to computer until the destination is found. These hops are measured by Message Queuing to facilitate future communication. Message Queuing attempts to provide the least costly link route, but if the most direct route is not available it will use any available route to complete the delivery.In large organizations where message volumes are substantial, it is wise to consider creating specialized Message Queuing servers to handle traffic. In-routing servers manage messages within a site; out-routing servers move messages across wide-bandwidth networks and control the message flow. Client servers should be generally configured to employ multiple in-routing and out-routing servers in order to minimize message transmission failure.Routing is generally predicated on the availability of links and their relative costs. Once multiple links are established, Message Queuing attempts to route to the least costly link based on costs input during the configuration process. These costs are usually derived from throughput divided by the actual cost of the connection, which provides a relative number of megabits or kilobits per second of message transfer per monetary unit. From this calculation, a link value can be calculated and compared to other values.Routing links use Message Queuing servers to route messages. One or more Message Queuing servers must be assigned to routing links.When using a firewall with Message Queuing, a PPTP-based secure communication channel should be established. This is usually RCP port 2103 or 2105, although the MQPing uses UDP port 3527. Three basic modes can be set in a firewall environment. First, messages can be sent only through TCP port 1801 for independent client computer access. Second, messages can be sent and Active Directory access allowed using TCP port 1801 and RPC ports 135 and 2101. Third, messages can be sent and read with Active Directory access. Here, in addition to the ports allowed in the second mode, RCP port 2105 can be used to allow remote clients to receive queues from the internal Message Queuing server.
CREATING A ROUTING LINK
The creation of a routing link for Message Queuing is accomplished via these steps:
Open the Active Directory Sites and Services snap-in.Open the console tree and right-click MsmqServices.Select New.Select MSMQ Routing Link.In the dialog box, select the two sites to be linked by scrolling through the Site 1 and Site 2 options list.Assign a relative cost (positive value) for the link in the MSMQ Link Cost text box.
CHANGING ROUTING SERVERS FOR A ROUTING LINK
To change the routing server of a routing link for Message Queuing, follow these steps:
Open the Active Directory Sites and Services snap-in.Open the console tree and right-click Msmq Services.Right-click the targeted link and select Properties.On the Site Gates tab, select Site Servers and click Add.
To remove a routing server, simply take steps 1 through 3, then in the Site Gates gate, click Remove.
CREATING A COST FOR A ROUTING LINK
Follow these steps to create a cost for a Message Queuing routing link:
Open the Active Directory Sites and Services snap-in.Open the console tree and right-click Msmq Services.Select Properties.On the General tab, insert the cost in the Link Cost text box.
CHANGING THE ROUTING SERVER FOR INDEPENDENT CLIENTS
To change the routing server for independent Message Queuing clients, perform the following steps:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.From the console tree, select MSMQ.Right-click msmq and select Properties.Select the Routing tab. From the In Routing Servers list, select up to three servers or, to remove in-routing servers, click None.
Out-routing servers are changed by the same method: follow steps 1 through 5, then on the Routing tab, select Out Routing Servers.
TESTING CONNECTIVITY USING MQPING
Test connectivity using MQPing with the following steps:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.From the console tree, select MSMQ.Right click msmq and select Properties.Select the Diagnostics tab and click MQPing.
Installing Message Queuing Services
The installation process begins with an analysis of hardware and network requirements. Once these items are mapped out and available, installation of Message Queuing can begin.
PREINSTALLATION HARDWARE CONSIDERATIONS
One key to efficient message queuing is appropriately sized and configured hardware. Hard disk drives, memory, processors, and network adapters all play important roles.The number and size of hard drives dedicated to message-queuing servers are important because of the requirement to save to disk-recoverable queues, journals, and logs. With this amount of constant writing to disk, seek times can slow message delivery, so using only a single hard drive is not advised. With two disk drives, the messages should go to one disk and the logs to the other. Microsoft recommends disk configuration of five hard disk drives for storing Message Queuing messages, the message log file, transaction logs, virtual memory paging, and application data files.NOTETo view the Avg. Disk Queue Length counter: Start menu Administrative Tools Performance Monitor. If the queue length exceeds 0.6, adding additional disks are probably warranted.Sizing a disk is also important. Recoverable messages are allocated 4 KB or 250 messages per megabit. Express messages are stored only if virtual memory is not available and need about one-fourth the amount of storage space that recoverable messages require. If the server runs out of memory, paging will occur and demand additional disk space.As suggested, system memory should be sufficient to minimize paging, but sizing can be difficult. The receiving server may have enough RAM or disk space to store messages only until the associated application is started. Sending computers have a similar problem with accumulation of messages if the network or receiving system is down. Ideally, systems are configured with sufficient memory to accommodate peak message loads. For example, Microsoft estimates the average message size is 150 bytes and the average header size is 1 kilobyte, for a total of 1,150 bytes. Assuming that the maximum number of messages expected through a message-queuing server is 50,000, that number would be multiplied by 1,150 bytes, meaning that a minimum of 57.5 MB should be added.The speed of the CPU and of network adapters has obvious impacts on message queuing. Use the fastest economically feasible CPU for message-queuing servers and multiple fast network adapters to enhance message throughput.
INSTALLATION CONSIDERATIONS
Installation of Message Queuing can take several steps. First, the Message Queuing servers must be installed. During this process, it is necessary to determine whether to enable routing support. Then independent and dependent clients are installed. This is automatic for existing message-queuing clients. If appropriate, Message Queuing Exchange connectors are applied. In a domain environment, both Active Directory and RCP must be operational. For each site, Message Queuing must be installed on a domain controller before it is installed on member services or clients within the site.The actual installation involves these steps: Start menu Administrative Tools Configure Your Server. From the dialog box, select Advanced Message Queuing. The options afforded by the installation wizard are fairly obvious. For specific questions, refer to the Help menu (see Figure 17.8).
Figure 17.8. A Sample Installation Wizard Screen
CAUTIONIf you are migrating from an existing Windows NT MSMQ server, you must resolve numerous incompatibilities and other issues, many of which can be handled by the Message Queuing Migration Tool wizard. (Previous versions used an MQIS controller server.) The migration tool, which should be run on the MQIS controller and all other MSMQ or Message Queuing client computers, transfers the topology and other information to the Active Directory.Among the differences that should be noted when upgrading from Windows NT are the following:
There is no longer an MSMQ-specific database (MQIS) requirement to use the SQL Server to store information such as the network topology.
There are no MSMQ-specific sites.
There is no MSMQ-specific enterprise designation.
CAUTIONMessage-queuing servers can be clustered. If this is desired, group them first and then assign them to a specific node. The major downside to clustering is that messages residing on the node will be lost in a failover.
Administrative Tools for Message Queuing Services
The primary Message Queuing administrative tools are integrated in the Active Directory Users and Computers, Active Directory Sites and Services, and Computer Management snap-ins. The first two tools are used to administer Message Queuing in an enterprise setting, whereas the Computer Management snap-in does this for the local computer or workgroup. These tools replace the standalone MSMQ Explorer used in Windows NT, which is still required for the administration of down-level MSMQ servers that have not been updated to Windows 2000 and Windows Server 2003.The Active Directory Users and Computers snap-in creates and sets properties of public and private queues, views message properties, and views message-queuing computers with their properties. The properties that can be set and viewed include Admin queue name, format and length, arrived time, authentication, class, delivery mode, encryption options, hash algorithm, message ID, priority, sender ID, sent time, size, and source computer GUID and path.The Active Directory Sites and Services snap-in views, creates, and sets properties for routing links. It can also create and set foreign computer properties and sites. The Computer Management snap-in views and removes local messages, and views and creates public and private queues and their properties.
FINDING A MESSAGE QUEUING SYSTEM
A message-queuing computer can be located using the following steps:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.From the console tree, select the targeted domain and select Computers.Sequentially click each computer to see if an MSMQ folder exists.
SETTING A COMPUTER MESSAGE STORAGE SIZE
The message storage size on a computer can be determined as follows:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.From the console tree, select MSMQ.Right-click msmq and select Properties.Select the General tab. In the Storage limits box, check Limit message storage to (KB).Enter the maximum number of kilobytes available for a message.
LIMITING JOURNAL STORAGE SIZE
The journal storage size on a computer can be determined with the following steps:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.From the console tree, select MSMQ.Right-click msmq and select Properties.Select the General tab. In the Storage limits box, check Limit journal storage to (KB).Enter the maximum number of kilobytes available for the journal.
FINDING A QUEUE
To find a queue, take the following steps:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.Open the console tree and right-click Computers or Domain Controllers. Click Find.In the Find MSMQ Queue tab, type the appropriate data in the Label or Type ID text box. Click Find Now.
DELETING A QUEUE
Delete a queue this way:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.Open the console tree and right-click the targeted queue. Click Delete.Click Yes to confirm the deletion.
ENABLING OR DISABLING JOURNALS
To enable or disable journaling, take the following steps:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.Open the console tree, right-click the targeted queue, and select Properties.Select the General tab. In the Journal section, select the Enable check box.
To disable journaling, follow the preceding steps 1 through 4, then on the General tab, remove the check mark for Enable.
VIEWING MESSAGE PROPERTIES
View message properties according to the following steps:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.Open the console tree, right-click Queue messages, and right-click the targeted message in the details pane. Select Properties.Sequentially review the properties by checking the information configuration in the available tabs.
PURGING ALL MESSAGES
Purge all messages as follows:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the View menu and select Advanced Features.Open the console tree. Right-click Queue messages, right-click All tasks, and select Purge.Click Yes to confirm the deletion of all messages.
Message Queuing Security Issues and Management
Message Queuing relies on the security features of Windows 2000 and Windows Server 2003, including access control lists (ACLs), encryption, and authentication. Queues, messages, computers, and routing links are all treated by the ACL as objects with associated permissions. The Everyone group is granted Write permission to queues by default. Read permissions allow the user to receive and view messages for a queue. Only the Administrator group has Full Control over all local Message Queuing messages, logs, and queues by default.The Active Directory Users and Computers snap-in where the MSMQConfiguration object is used to set permissions. First, however, a number of security-related issues must be considered, as follows:
Service account.
Message Queuing can be executed through the local system account or a specific user account. For greater security, use a specific user account created for Message Queuing management.
Guest account.
The Guest account on Windows Server 2003 is displayed by default. However, it must be enabled to communicate messages between Active Directory domains and the Server's workgroups or Windows NT 4.0 MSMQ. Alternatively, you can create a user account from those systems with Read permission to the Active Directory. This might be preferable to opening the Guest account to anonymous access.
Message authentication.
Message authentication is not the default setting. Therefore, ensure that the sender of a message is authenticated with digital signatures. While this provides a greater level of security, it may slow down the delivery process. Consider this tradeoff before using authentication.
MSMQ server authentication.
Message Queuing server certificates are granted to authenticate communication with Message Queuing clients. Although optional, if installed, Server Authentication will be used by both Message Queuing servers and the Internet Information Services for secure HTTP-S Web data exchange.
MSMQ encryption.
Message encryption is not used by default. Nevertheless, it is possible to encode and decode messages using the Microsoft Crypto API in conjunction with the Microsoft Base Cryptographic Service Provider, version 2.0 or later. Crypto API must be installed on any Message Queuing system that sends and receives messages. The U.S. version uses 128-bit encryption, whereas international versions do not. The downside of encryption is the reduced speed of message communication because of the requirement to create symmetric keys, encrypt the message with a public key of the receiving system, and use the receiving computer's private key to decrypt the message.
Auditing.
The auditing feature permits an administrator to review users who attempt to access the Message Queuing server. Through analysis of the success and failure logs, attempts by unauthorized users are more likely to be detected.
SETTING PERMISSIONS FOR A COMPUTER OR QUEUE
To set the permissions for a computer or queue, do the following:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the console tree and select the computer or queue.Right-click msmq and select Properties.Select the Security tab and select the desired permissions for the computer or queue.
CHANGING OWNERSHIP OF A COMPUTER OR QUEUE
Change the ownership for a computer or queue as follows:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the console tree and select the computer or queue.Right-click msmq and select Properties.Select the Security tab and click Advanced.Select the Owner tab. In the Change Owner box, select the new user or group.Click OK.
SETTING DEFAULT SECURITY FOR MESSAGE QUEUING STORAGE files
Storage of message, log, and transaction files is usually in the WinntSystem32\MSMQ\Storage folder. To set default security for these files, perform the following:
Open Windows Explorer and navigate to the storage directory.Right-click the storage directory and select Properties.Within the Permissions option, under Allow, select Full Control.In the Name box, select all users and groups that do not have access to the MSMQ directory. Click Remove.
SETTING UP COMPUTER OR QUEUE AUDITING
To set the permissions for a computer or queue, take the following steps:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, or Computers as containers.Open the console tree and select the computer or queue.Right-click msmq and select Properties.Select the Security tab and click Advanced.Select the Auditing tab and click Add.In the Select Users, Group, or Computer dialog box, click the user or group to audit in the Name option. Click OK.Within the Auditing Entry for the msmq dialog box, select all objects to audit in the Apply onto option. In the Access option, select the desired settings.
AUDITING A ROUTING LINK
To audit access to a routing link, do the following:
Open the Active Directory Users and Computers snap-in.Open the View menu and select Users, Groups, and Computers as containers.Open the console tree and select the computer or queue.Right-click msmq, select the routing link, and select Properties.Select the Security tab and click Advanced.Select the Auditing tab. Within the Access Control Settings for the msmq dialog box, click Add.In the Select Users, Group, or Computer dialog box, click the user or group to audit in the Name option. Click OK.From the Auditing Entry for the msmq dialog box, select all objects to audit in the Apply onto option. In the Access option, select the desired settings.
Windows Server 2003 Specific Message Queuing Enhancements
While the differences between Windows 2000 and Windows Server 2003 Message Queuing Services are few, the following features deserve mention.
Message Queuing deployment.
MSMQ 3.0 clients now use LDAP to directly access Active Directory servers and this eliminates the requirement to deploy MSMQ on domain controllers.
Message Queuing Distribution Lists.
Message Queuing permits the sending of messages to Active Directory Distribution Lists (DL) by the "group" class. Usage and format is similar to that of Public Queues: DL=<guid>[@<domain>]. Distribution group object creation and management in the Active Directory is done via the ADSI API or by using the Active Directory MMC snap-in. Only public queues can be elements of DL objects.
Message Queuing Alias.
A new Active Directory object is introduced with Windows Server 2003 called Queue Alias. This object acts as a reference to any Message Queuing queue. Private queues can become elements of Message Queuing Distribution List objects.
Message Queuing Triggers.
In previous versions, the Triggers feature was delivered by the Software Development Kit (SDK) as an add-on. The Message Queuing Triggers module is now incorporated into the core product. This allows administrators to permit components or executables to be invoked automatically based on message arrival.
Message Queuing Internet Messaging.
Message Queuing supports Internet Messaging, a feature that allows the sending of messages to queues on the Internet or an intranet. This is accomplished by introducing a URL-style format name DIRECT=HTTP://sitename\msmq\queuename. Message Queuing Internet/intranet messaging using URL-named queues requires configuration of the Internet Information Services.
Message Queuing Real-Time Message Multicasting.
Message Queuing allows message delivery to IP multicast groups using the PGM IP multicast protocol. Two new operators are introduced: (1) a new queue formatname with syntax: "MULTICAST=<multicast IP address>[:<port address>]"; (2) a new queue property with a multicast address: MSMQQueueInfo.MulticastAddress.
Postscript on Message Queuing
Since Message Queuing and networking, the Active Directory, and other computer management topics are interwoven, we chose not to replicate much of that information here but instead provide a summary view of this application. When installing and deploying Message Queuing, refer to the latest release notes and appropriate sections in this book.Message Queuing can be used to connect with Exchange Server. Additional information on this feature is available from online Help.
