Lionel Cau Snr Consultant & MS Practice Mger Sogeti Switzerland Competence Center Performs a complete assessment evaluates your maturity level, delivers a ready to use and relevant IT director plan Microsoft Infrastructure Optimisation (MIO) A complete project management kit helping you in a short time frame to evaluate, prepare, organize and build a Vista migration 3 branches of a star, 3 stars of a branch ! eXcellence in Migration Projet (XMP) Virtualization and costs Combines virtualization benefits with a quality focused and a cost reducing approach SoftGrid RightShore MIT: Always keeping in mind technology and methodology FTP 7 Management Overview of new features IIS 7 Management Architecture & Performance Security Configuration & Administration Shared configuration PHP, SilverLight… Microsoft will ship the following for Windows Server 2008: A feature-rich FTP service An updated version of FPSE A redesigned WebDAV implementation All will be available as free downloads FPSE FTP WebDAV IIS Integration with IIS 7 Configuration IIS 6: IIS administrators needed to create two sites in the past because HTTP and FTP sites stored their settings separately FTP 7 integrates with the IIS 7 configuration system Virtual Hosts IIS 6: Hosting multiple FTP sites requires unique IP addresses because FTP protocol architecture lacks the flexibility of HTTP’s host headers FTP 7 introduces “virtual host” support. Lionel Cau Snr Consultant & MS Practice Mger Sogeti Switzerland Hosting Improvements: User Isolation IIS 6: FTP user isolation in IIS 6 required physical directories because FTP user isolation could not support virtual directories FTP 7 user isolation allows both virtual and physical directories Hosting Improvements: Disk Quotas IIS 6 : Server administrators have no way to limit disk usage for FTP sites because FTP does not support quotas FTP 7 integrates with FSRM directory quotas in Windows Server 2008 Security and New Internet Standards IIS 6: The FTP services in IIS 6 and earlier do not support SSL, IPv6, or UTF8 FTP 7 supports FTP over SSL, IPv6, and UTF8 (Note: FTP 7 supports FTPS, not SFTP) Extensibility IIS 6 : New FTP functionality could not be added in IIS 6 because FTP was not extensible FTP 7 supports custom authentication, roles, home directories, and commands (extensibility is provided for both Managed and Native code) The following download packages are currently available on the www.iis.net web site: FTP 7 for x86: http://go.microsoft.com/fwlink/?LinkId=87847 FTP 7 for amd64/x64: http://go.microsoft.com/fwlink/?LinkId=89114 FPSE for Windows Server 2008 and Vista: http://go.microsoft.com/fwlink/?LinkId=86544 Web edition Up to 4 processors (16 cores) Up to 4 GB Ram (x32) or 32 GB (x64) 512 MB mini for OS Microsoft® SQL Server™ 2005 support for local web applications – SP2 required Windows SharePoint Services 3.0 SP1 (free) available as a separate download Core setup or classic, as you wish No more MMC snap-in: a dedicated console Completely redesigned IIS Manager Allows IIS and ASP.NET configuration Icons instead of tabs Fully extensible Add new management and IIS features Integrate custom applications config View health and diagnostics info Built-in remote administration over HTTPS Manage 1 or 1000s of sites Connect to an IIS 7 server using IIS Manager HTTPS is used: No Terminal Services or admin Web site Service is provided by WMSVC Service Use IIS Manager from Windows® XP, Windows® 2003 and Windows Vista™ Delegated settings control user experience Management Service is one of the recommended services for hosters Administrator decides which features nonadmins can control Site owners control delegated settings No elevated privileges required! Delegated settings are in web.config Site or nested at application level Shares web.config with ASP.NET configuration Xcopy deploy configuration and content Take precautions to protect overwrites APPCMD General purpose command line tool Managed code API Microsoft.Web.Administration WMI Improved namespace for IIS 7 ADSI compatibility Compatibility feature not installed by default Powershell Use with Managed API and WMI Lionel Cau Snr Consultant & MS Practice Mger Sogeti Switzerland Authentication NTLM Basic Anon Monolithic implementation install all or nothing… … CGI Determine Handler Static File ASP.NET ISAPI … PHP Send Response Log Compress Extend server functionality only through ISAPI… Authentication NTLM Basic Anon Authorization … ResolveCacheCGI … Determine Static File Handler ExecuteHandler ISAPI … … UpdateCache Send Response SendResponse Log Server functionality is split into ~ 40 modules... Compress Modules plug into a generic request pipeline… Modules extend server functionality through a public module API Authentication NTLM Basic Anon ISAPI-based implementation Only sees ASP.NET requests Feature duplication … Determine Handler CGI aspnet_isapi.dll Static File Authentication ISAPI Windows … ASPX … Send Response Log Forms Compress Map Handler Trace … … Basic Anon Authentication Authorization ResolveCache … ExecuteHandler … Static File ISAPI Classic (IIS 6) Integrated Mode .NET modules/handlers plug directly into aspnet_isapi.dll pipeline Authentication Forms Process Windows all requests … Full runtime fidelity ASPX UpdateCache SendResponse Two App Pool modes Map Handler … Compress Log Trace … When to use Classic mode for your application pool? If your application relies on the way the IIS6 pipeline worked, use Classic mode WSS requires Classic mode Components that require Metabase Compatibility: ASP.NET 1.1 FrontPage Server Extensions (out-of-band release) Windows SharePoint Services IIS6 based scripts 3rd party applications that rely on custom metabase data Lionel Cau Snr Consultant & MS Practice Mger Sogeti Switzerland Feature Delegation Allow non-administrators to manage IIS settings remotely Allow fine-grained control over feature delegation Application Pool Isolation Sandboxing out of the box IIS Identities are built-in Anonymous User IUSR_<machinename> IUSR Easier to administer, scale-out and configure IIS_WPG is now IIS_IUSRS You don’t have to add worker process identities to IIS_IUSRS group anymore Anonymous user is not required anymore Worker process identity does the job Lionel Cau Snr Consultant & MS Practice Mger Sogeti Switzerland Service Host (SVCHost.EXE) Token Windows Process Activation Service (WAS) AppPool: newPool username: newPoolUser password: <password> applicationhost .config Users Everyone LOGON_ Token BATCH World Wide Web Service (W3SVC) Otherpool\ NewPool\ Wwwroot\ default.htm Domain Users HRGroup <others> Denied OK IIS_ IUSRS newPool ACL Administrator:F System:F SiteOwner:F newPool:F Worker Process (W3WP.EXE) ETW (IIS 6)Trace Data is useful, but requires utilities to extract and present events from file. IIS 7 provides preformatted XSLT for easy analysis of capture Lionel Cau Snr Consultant & MS Practice Mger Sogeti Switzerland Metabase corruption issues Too many machine-specific settings No way to share the metabase between servers Lack of metabase synchronization Difficult to troubleshoot double-hop authentication Difficult to manage applications remotely Difficult to deploy new applications XML XM L Metabase.XML XML XM L Metabase.XML XML XM L 1. Configure master server 2. Replicate config 3. Change configuration 4. Re-replicate config Metabase.XML Replication and synchronization are challenging, requiring custom code Global configuration file: applicationHost.config Contains all sites, appPools, default settings… Allows configuration “locking” to distribute config Distributed configuration file: web.config Can optionally live with content Can be local or remote UNC path Supports Xcopy deployment of application configuration Metabase available as optional component Can provide compatible APIs for existing scripts Only writes to applicationHost.config Only supports existing IIS 6 properties machine.config .Net Framework « root » web.config applicationHost.config Local or Remote or Shared web.config (optional) web.config (optional) IIS Site and vDir XML AppHost.config Shared Config Shared App Hosting Configuration is shared between multiple nodes, just stays in sync Location of applicationHost.config is determined by redirection.config XML AppHost.config Version 1 Staging New Config Version 2 Easily manage multiple configuration versions for staging and rollback Portability: Quickly move sites, applications or servers Replication: Put the same configuration on multiple machines Synchronization: Keep the configuration in sync Staged Deployment: Stage and rollback server changes Lionel Cau Snr Consultant & MS Practice Mger Sogeti Switzerland Regarding content, how could we achieve high fail-over and scalability? Store content on a back-end file server, not on the front-ends Use DFSR to replicate content between file servers What happens if the file server with the config goes down, but the Web servers are still up? Config will be cached in memory. If the Web service is restarted, it will report invalid config Mitigation: Use a redundant solution like DFSR for both content and configuration How could we cache config files on each local box? Use Offline files, or Client side caching, just for the shared config files Files are copied locally and used until file server is back online Before you enable shared config! Make sure that all the servers have the same components installed (ex: ftp) Verify on each machine using Role Manager or registry query Before you install a new component! If it writes to the applicationHost.config, you can’t install it with shared config enabled Take a server offline and update separately Best practice to configure servers as needed before enabling shared config Solutions beyond Shared Configuration: Small farms: 2-6 nodes Current recommendation is to use Shared Config. There will be a Web Deployment Tool which is a replication tool, currently beta, that will address more than shared config (not an AppCenter replacement) Medium and large farms: 6 nodes + Depends on the farm, the tool may be sufficient or you may want to move to System Center var config = WScript.CreateObject("Microsoft.ApplicationHost.Wri tableAdminManager"); config.CommitPath = "MACHINE/REDIRECTION"; var section = config.GetAdminSection("configurationRedirection", "MACHINE/REDIRECTION"); section.Properties.Item("enabled").Value = true; section.Properties.Item("path").Value = "\\\\somemachine\\share\\folder"; section.Properties.Item("userName").Value = "user"; section.Properties.Item( "password" ).Value = “pass"; config.CommitChanges(); Lionel Cau Snr Consultant & MS Practice Mger Sogeti Switzerland © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.