Lionel Cau
Snr Consultant & MS Practice Mger
Sogeti Switzerland
Competence Center
Performs a complete assessment
evaluates your maturity level,
delivers a ready to use and
relevant IT director plan
Microsoft
Infrastructure
Optimisation (MIO)
A complete project management kit
helping you in a short time frame
to evaluate, prepare, organize
and build a Vista migration
3
branches
of a star,
3 stars of a
branch !
eXcellence in
Migration Projet
(XMP)
Virtualization and costs
Combines virtualization benefits with a
quality focused and a cost reducing approach
SoftGrid RightShore
MIT: Always keeping in mind technology and methodology
FTP 7
Management
Overview of new features
IIS 7
Management
Architecture & Performance
Security
Configuration & Administration
Shared configuration
PHP, SilverLight…
Microsoft will ship the following for Windows
Server 2008:
A feature-rich FTP service
An updated version of FPSE
A redesigned WebDAV implementation
All will be available as free downloads
FPSE
FTP
WebDAV
IIS
Integration with IIS 7 Configuration
IIS 6: IIS administrators needed to create two
sites in the past because HTTP and FTP sites
stored their settings separately
FTP 7 integrates with the IIS 7 configuration
system
Virtual Hosts
IIS 6: Hosting multiple FTP sites requires
unique IP addresses because FTP protocol
architecture lacks the flexibility of HTTP’s host
headers
FTP 7 introduces “virtual host” support.
Lionel Cau
Snr Consultant & MS Practice Mger
Sogeti Switzerland
Hosting Improvements: User Isolation
IIS 6: FTP user isolation in IIS 6 required
physical directories because FTP user isolation
could not support virtual directories
FTP 7 user isolation allows both virtual and
physical directories
Hosting Improvements: Disk Quotas
IIS 6 : Server administrators have no way to
limit disk usage for FTP sites because FTP
does not support quotas
FTP 7 integrates with FSRM directory quotas
in Windows Server 2008
Security and New Internet Standards
IIS 6: The FTP services in IIS 6 and earlier do
not support SSL, IPv6, or UTF8
FTP 7 supports FTP over SSL, IPv6, and UTF8
(Note: FTP 7 supports FTPS, not SFTP)
Extensibility
IIS 6 : New FTP functionality could not be
added in IIS 6 because FTP was not extensible
FTP 7 supports custom authentication, roles,
home directories, and commands (extensibility
is provided for both Managed and Native code)
The following download packages are
currently available on the www.iis.net web
site:
FTP 7 for x86:
http://go.microsoft.com/fwlink/?LinkId=87847
FTP 7 for amd64/x64:
http://go.microsoft.com/fwlink/?LinkId=89114
FPSE for Windows Server 2008 and Vista:
http://go.microsoft.com/fwlink/?LinkId=86544
Web edition
Up to 4 processors (16 cores)
Up to 4 GB Ram (x32) or 32 GB (x64)
512 MB mini for OS
Microsoft® SQL Server™ 2005 support for
local web applications – SP2 required
Windows SharePoint Services 3.0 SP1 (free)
available as a separate download
Core setup or classic, as you wish
No more MMC snap-in: a dedicated console
Completely redesigned IIS Manager
Allows IIS and ASP.NET configuration
Icons instead of tabs
Fully extensible
Add new management and IIS features
Integrate custom applications config
View health and diagnostics info
Built-in remote administration over HTTPS
Manage 1 or 1000s of sites
Connect to an IIS 7 server using IIS Manager
HTTPS is used:
No Terminal Services or admin Web site
Service is provided by WMSVC Service
Use IIS Manager from Windows® XP,
Windows® 2003 and Windows Vista™
Delegated settings control user experience
Management Service is one of
the recommended services for
hosters
Administrator decides which features nonadmins can control
Site owners control delegated settings
No elevated privileges required!
Delegated settings are in web.config
Site or nested at application level
Shares web.config with ASP.NET configuration
Xcopy deploy configuration and content
Take precautions to protect overwrites
APPCMD
General purpose command line tool
Managed code API
Microsoft.Web.Administration
WMI
Improved namespace for IIS 7
ADSI compatibility
Compatibility feature not installed by default
Powershell
Use with Managed API and WMI
Lionel Cau
Snr Consultant & MS Practice Mger
Sogeti Switzerland
Authentication
NTLM
Basic
Anon
Monolithic implementation install all or nothing…
…
CGI
Determine
Handler
Static
File
ASP.NET
ISAPI
…
PHP
Send Response
Log
Compress
Extend server functionality only
through ISAPI…
Authentication
NTLM
Basic
Anon
Authorization
…
ResolveCacheCGI
…
Determine
Static
File
Handler
ExecuteHandler
ISAPI
…
…
UpdateCache
Send
Response
SendResponse
Log
Server functionality is split
into ~ 40 modules...
Compress
Modules plug into a
generic request pipeline…
Modules extend server
functionality through a
public module API
Authentication
NTLM
Basic
Anon
ISAPI-based implementation
Only sees ASP.NET requests
Feature duplication
…
Determine
Handler
CGI
aspnet_isapi.dll
Static
File
Authentication
ISAPI
Windows
…
ASPX
…
Send Response
Log
Forms
Compress
Map
Handler
Trace
…
…
Basic
Anon
Authentication
Authorization
ResolveCache
…
ExecuteHandler
…
Static
File
ISAPI
Classic (IIS 6)
Integrated Mode
.NET
modules/handlers
plug directly into
aspnet_isapi.dll
pipeline
Authentication
Forms Process
Windows all requests
…
Full runtime fidelity
ASPX
UpdateCache
SendResponse
Two App Pool modes
Map
Handler
…
Compress
Log
Trace
…
When to use Classic mode for your application
pool?
If your application relies on the way the IIS6 pipeline
worked, use Classic mode
WSS requires Classic mode
Components that require Metabase Compatibility:
ASP.NET 1.1
FrontPage Server Extensions (out-of-band release)
Windows SharePoint Services
IIS6 based scripts
3rd party applications that rely on custom metabase data
Lionel Cau
Snr Consultant & MS Practice Mger
Sogeti Switzerland
Feature Delegation
Allow non-administrators to manage IIS settings remotely
Allow fine-grained control over feature delegation
Application Pool Isolation
Sandboxing out of the box
IIS Identities are built-in
Anonymous User IUSR_<machinename>  IUSR
Easier to administer, scale-out and configure
IIS_WPG is now IIS_IUSRS
You don’t have to add worker process identities to IIS_IUSRS group
anymore
Anonymous user is not required anymore
Worker process identity does the job
Lionel Cau
Snr Consultant & MS Practice Mger
Sogeti Switzerland
Service Host (SVCHost.EXE)
Token
Windows
Process
Activation
Service
(WAS)
AppPool: newPool
username: newPoolUser
password: <password>
applicationhost
.config
Users
Everyone
LOGON_
Token
BATCH
World Wide
Web Service
(W3SVC)
Otherpool\
NewPool\
Wwwroot\
default.htm
Domain
Users
HRGroup
<others>
Denied
OK
IIS_
IUSRS
newPool
ACL
Administrator:F
System:F
SiteOwner:F
newPool:F
Worker Process
(W3WP.EXE)
ETW (IIS 6)Trace
Data is useful, but
requires utilities to
extract and present
events from file.
IIS 7 provides
preformatted XSLT
for easy analysis of
capture
Lionel Cau
Snr Consultant & MS Practice Mger
Sogeti Switzerland
Metabase corruption issues
Too many machine-specific settings
No way to share the metabase between servers
Lack of metabase synchronization
Difficult to troubleshoot double-hop authentication
Difficult to manage applications remotely
Difficult to deploy new applications
XML
XM
L
Metabase.XML
XML
XM
L
Metabase.XML
XML
XM
L
1. Configure master server
2. Replicate config
3. Change configuration
4. Re-replicate config
Metabase.XML
Replication and synchronization are challenging,
requiring custom code
Global configuration file: applicationHost.config
Contains all sites, appPools, default settings…
Allows configuration “locking” to distribute config
Distributed configuration file: web.config
Can optionally live with content
Can be local or remote UNC path
Supports Xcopy deployment of application configuration
Metabase available as optional component
Can provide compatible APIs for existing scripts
Only writes to applicationHost.config
Only supports existing IIS 6 properties
machine.config
.Net
Framework
« root » web.config
applicationHost.config
Local
or
Remote
or
Shared
web.config (optional)
web.config (optional)
IIS
Site
and
vDir
XML
AppHost.config
Shared
Config
Shared App Hosting
Configuration is shared between multiple nodes, just stays in sync
Location of applicationHost.config is determined by redirection.config
XML
AppHost.config
Version 1
Staging
New
Config
Version 2
Easily manage multiple configuration
versions for staging and rollback
Portability: Quickly move sites, applications or servers
Replication: Put the same configuration on multiple machines
Synchronization: Keep the configuration in sync
Staged Deployment: Stage and rollback server changes
Lionel Cau
Snr Consultant & MS Practice Mger
Sogeti Switzerland
Regarding content, how could we achieve high fail-over
and scalability?
Store content on a back-end file server, not on the front-ends
Use DFSR to replicate content between file servers
What happens if the file server with the config goes
down, but the Web servers are still up?
Config will be cached in memory. If the Web service is
restarted, it will report invalid config
Mitigation: Use a redundant solution like DFSR for both content
and configuration
How could we cache config files on each local box?
Use Offline files, or Client side caching, just for the shared
config files
Files are copied locally and used until file server is back online
Before you enable shared config!
Make sure that all the servers have the same
components installed (ex: ftp)
Verify on each machine using Role Manager or
registry query
Before you install a new component!
If it writes to the applicationHost.config, you can’t
install it with shared config enabled
Take a server offline and update separately
Best practice to configure servers as needed
before enabling shared config
Solutions beyond Shared Configuration:
Small farms: 2-6 nodes
Current recommendation is to use Shared
Config.
There will be a Web Deployment Tool which is a
replication tool, currently beta, that will address
more than shared config (not an AppCenter
replacement)
Medium and large farms: 6 nodes +
Depends on the farm, the tool may be sufficient
or you may want to move to System Center
var config =
WScript.CreateObject("Microsoft.ApplicationHost.Wri
tableAdminManager");
config.CommitPath = "MACHINE/REDIRECTION";
var section =
config.GetAdminSection("configurationRedirection",
"MACHINE/REDIRECTION");
section.Properties.Item("enabled").Value = true;
section.Properties.Item("path").Value =
"\\\\somemachine\\share\\folder";
section.Properties.Item("userName").Value = "user";
section.Properties.Item( "password" ).Value = “pass";
config.CommitChanges();
Lionel Cau
Snr Consultant & MS Practice Mger
Sogeti Switzerland
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.