IIS7 Administration
•Remote Administration
•Shared Configuration
•Scripted Administration
IIS Manager has built in remote administration
capabilities
Terminal Services or Admin web site not
required
Clients are IIS Manager from XP, 2003, Vista
and Longhorn
Custom addins are downloaded to remote
Uses the WMSVC service (Windows Service)
Requires Management
Service be installed in Server
Manager
Enable in the IIS Manager
Turned off by Default
Essentially a web application running on a
standalone server
Runs as Local Service (NT Service\WMSVC)
If using UNC content, you need to run as
identity with UNC access
Startup is set to Manual
Change to automatic to enable on reboot
sc config WMSVC start= auto
Enforces HTTPS
Type of User (Windows or IIS Manager)
Connections
Can be bound to a specific IP
Configurable port for listening
Set to 8172 by default
When connecting specify port using <machine>:<port>
(e.g. myserver:5050)
Logging can be turned on/off and log directory
can be modified
Certificate for SSL is preinstalled
IP and Domain restrictions
Ability to restrict connections to specific IP
address/domains
Ability to block specific IP address/domains
Logs all HTTP connections to the WMSvc
service
Logs stored at:
<os drive>:\inetpub\logs\wmsvc
Useful for auditing
W3SVC log file format
Service errors visible in event viewer
(eventvwr.exe)
Administrators:
Control entire web server remotely
Non-administrators:
Identity stored as Windows Users or
“IIS Manager Users”
Control of sites/applications
Developers
Site owners
Application owners
Administrator decides what the user can
view/change with Feature Delegation
Only Administrator can connect to
server node
Can see all settings and connect to other
nodes
Does not need explicit permissions
If Remote Administration is enabled, a server
administrator can log in.
Non-admins can connect to sites and
apps
Explicit permission required
Content can be ACL’d for greater security
Created in the IIS Manager
Only used by WMSVC and Admin UI
Not used by any other IIS components
DOES NOT map to Windows users
Stored in administration.config by default
Uses an IIS Authentication Provider
Authentication provider be replaced by custom authentication provider,
e.g. One which stored authentication info on SQL Server.
Only used for site/application connections
•Creating IIS Manager Users
•Site/Application Permissions
•Authorizing Access
•Connecting to Sites
Remote users can only edit delegated
features
Changes are written to web.config
Most features shown by default
Non-delegated features can be hidden
from remote user
Allows creation of custom UI for remote
users
Connection
Users who can connect
Configuration Scope
(Where config changes go)
Server
Windows Administrators
applicationHost.config
Site
Windows Administrators
Windows Users
IIS Manager Users
web.config
Application
Windows Administrators
Windows Users
IIS Manager Users
web.config
•
1. Configure master server
XML
Metabase.XML
XML
2. Replicate config
3. Change configuration
Metabase.XML
XML
4. Re-replicate config
Metabase.XML
Replication and synchronization are challenging, requiring custom code
Designed for web farm scenario from the
start
Multiple servers to share a single
configuration file
UNC share is created for master config
When configured, servers direct config
requests to share location
A local or domain user is specified as
identify for remote access
Export Settings using IIS Manager Shared
Config feature
Create identical local user [Configuser] on
all web servers (or use a domain account)
Assign user the right “Log on as a batch job”
Create a share for config files
Share permissions are [Configuser] Change
ACLS are [Configuser] Read
Place config files in UNC path
Edit redirection.config
XML
AppHost.config
Version 1
Staging
New
Config
Version 2
Easily manage multiple configuration versions for staging and rollback
Designed to work in homogeneous farm
Must properly stage and replicate
Adding new components to IIS
Extending IIS7 configuration
Shared configuration solves one of
several web farm issues
Replication tool to be released near RTM
MOM pack for web server monitoring
When You Xcopy applicationHost.config
• Export the machine keys for encryption
• Ensure server configuration is identical
• Custom modules exist on all servers
When You Install Global Filters, Modules or IIS Components
• Remove a server from the farm to test
• Add any local dependencies BEFORE you change the shared
config!
When You Use Code to Enable Shared Configuration
• Export the machine keys
• Copy configuration files to a share
• Edit redirection.config to enable
var config =
WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminMan
ager");
config.CommitPath = "MACHINE/REDIRECTION";
var section = config.GetAdminSection("configurationRedirection",
"MACHINE/REDIRECTION");
section.Properties.Item("enabled").Value = true;
section.Properties.Item("path").Value =
"\\\\somemachine\\share\\folder";
section.Properties.Item("userName").Value = "user";
section.Properties.Item( "password" ).Value = “pass";
config.CommitChanges();
ADSI: IIS 6 Compatibility
APPCMD: General purpose command line
utility
WMI: Improved for Longhorn and IIS7.
Microsoft.Web.Administration – Managed
API to control state and configuration
Powershell: Use with
Microsoft.Web.Administraiton and WMI
NOT CONSISTENT
Set oIIS = GetObject("winmgmts:root\MicrosoftIISv2")
' Create binding for new site
Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_
oBinding.IP = ""
oBinding.Port = "80"
oBinding.Hostname = "www.site.com"
Create Site
' Create site and extract site name from return value
Set oService = oIIS.Get("IIsWebService.Name='W3SVC'")
strSiteName = oService.CreateNewSite("NewSite", array(oBinding), "C:\inetpub\wwwroot")
Set objPath = CreateObject("WbemScripting.SWbemObjectPath")
objPath.Path = strSiteName
strSitePath = objPath.Keys.Item("")
Create Virtual Directory
Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'")
oSite.Start
' Create the vdir for our application
Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting").SpawnInstance_
oVDirSetting.Name = strSitePath & "/ROOT/bar"
oVDirSetting.Path = "C:\inetpub\bar"
oVDirSetting.Put_
Create Application
' Make the VDir an application
Set oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")
oVDir.AppCreate2
CONSISTENT
Set oService = GetObject("winmgmts:root\WebAdministration")
' Create binding for site
Set oBinding = oService.Get("BindingElement").SpawnInstance_
oBinding.BindingInformation = "*:80:www.site.com"
oBinding.Protocol = "http"
Static Create methods
' Create site
oService.Get("Site").Create _
"NewSite", array(oBinding), "C:\inetpub\wwwroot"
' Create application
oService.Get("Application").Create _
"/foo", "NewSite", "C:\inetpub\wwwroot\foo"
ServerManager iisManager = new ServerManager();
foreach(WorkerProcess w3wp in iisManager.WorkerProcesses) {
Console.WriteLine("W3WP ({0})", w3wp.ProcessId);
foreach(Request request in w3wp.GetRequests(0)) {
Console.WriteLine("{0} - {1},{2},{3}",
request.Url,
request.ClientIPAddr,
request.TimeElapsed,
request.TimeInState);
}
}
With powershell…..
Provides compatibility for:
scripts
command line tools
native calls into ABO
IIS6
ADSI Script
Not installed by default
Install IIS 6 Compatibility
Can only do what IIS6 could do…
Can’t read/write new IIS properties
Application Pools: managedPipelineMode,
managedRuntimeVersion
Request Filtering
Failed Request Tracing
Can’t read/write ASP.NET properties
Can’t read/write web.config files
Can’t access new runtime data, e.g. worker processes,
executing requests
IISADMIN
ABOMapper
applicationHost.config
Remote Administration
Built in remote administration
Access is scoped to roles and delegation
Use HTTPS to connect to remote servers
Choice of client operating systems
Shared Configuration for web farms
Automated administration tasks with
WMI: for enterprise wide management
APPCMD: local, general purpose
Microsoft.Web.Administration: integrate into
deployment and management programs
ADSI: IIS6 compat
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Will cause all application pools to recycle:
changes to default settings for all application pools
changes to the <globalModules> list
Will cause one application pool to recycle:
application pool settings
Use only RSA machine-encryption (default), replicate RSA
machine key
http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx
Gotcha's:
Machine specific data, like IP addresses or drive letters
Servers must have same set of modules installed (reference to
non-existent module in <globalModules> causes 503's)
Assemblies in GAC, certificates, COM+ and other local items
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.