IIS Manager has built in remote administration capabilities Terminal Services or Admin web site not required Clients are IIS Manager from XP, 2003, Vista and Longhorn Custom addins are downloaded to remote Uses the WMSVC service (Windows Service) Requires Management Service be installed in Server Manager

Enable in the IIS Manager Turned off by Default Essentially a web application running on a standalone server Runs as Local Service (NT Service\WMSVC) If using UNC content, you need to run as identity with UNC access Startup is set to Manual Change to automatic to enable on reboot sc config WMSVC start= auto Enforces HTTPS

Type of User (Windows or IIS Manager) Connections Can be bound to a specific IP Configurable port for listening Set to 8172 by default When connecting specify port using : (e.g. myserver:5050) Logging can be turned on/off and log directory can be modified Certificate for SSL is preinstalled IP and Domain restrictions Ability to restrict connections to specific IP address/domains Ability to block specific IP address/domains

Logs all HTTP connections to the WMSvc service Logs stored at: :\inetpub\logs\wmsvc Useful for auditing W3SVC log file format Service errors visible in event viewer (eventvwr.exe)

Exposes a series of “handlers” that process the client requests. Ping.axd – Used to monitor the state Download.axd – Used to download assemblies to client Login.axd – Used to perform the initial handshake with the UI Service.axd – Used to process the actual client requests Monitors itself by doing a GET request (ping.axd) every 5 minutes

Administrators: Control entire web server remotely Non-administrators: Identity stored as Windows Users or “IIS Manager Users” Control of sites/applications Developers Site owners Application owners Administrator decides what the user can view/change with Feature Delegation

Only Administrator can connect to server node Can see all settings and connect to other nodes Does not need explicit permissions If Remote Administration is enabled, a server administrator can log in. Non-admins can connect to sites and apps Explicit permission required Content can be ACL’d for greater security

Created in the IIS Manager Only used by WMSVC and Admin UI Not used by any other IIS components DOES NOT map to Windows users Stored in administration.config by default Uses an IIS Authentication Provider Authentication provider be replaced by custom authentication provider, e.g. One which stored authentication info on SQL Server. Only used for site/application connections

Creating IIS Manager Users Site/Application Permissions Authorizing Access Connecting to Sites

Remote users can only edit delegated features Changes are written to web.config Most features shown by default Non-delegated features can be hidden from remote user Allows creation of custom UI for remote users

ConnectionUsers who can connectConfiguration Scope (Where config changes go) ServerWindows AdministratorsapplicationHost.config SiteWindows Administrators Windows Users IIS Manager Users web.config ApplicationWindows Administrators Windows Users IIS Manager Users web.config

1. Configure master server Replication and synchronization are challenging, requiring custom code XML Metabase.XML XML Metabase.XML XML Metabase.XML 2. Replicate config 3. Change configuration XML 4. Re-replicate config

Designed for web farm scenario from the start Multiple servers to share a single configuration file UNC share is created for master config When configured, servers direct config requests to share location A local or domain user is specified as identify for remote access

Export Settings using IIS Manager Shared Config feature Create identical local user [Configuser] on all web servers (or use a domain account) Assign user the right “Log on as a batch job” Create a share for config files Share permissions are [Configuser] Change ACLS are [Configuser] Read Place config files in UNC path Edit redirection.config

XML AppHost.config Staging New Config Version 2 Version 1 Easily manage multiple configuration versions for staging and rollback

Designed to work in homogeneous farm Must properly stage and replicate Adding new components to IIS Extending IIS7 configuration Shared configuration solves one of several web farm issues Replication tool to be released near RTM MOM pack for web server monitoring

When You Xcopy applicationHost.config Export the machine keys for encryption Ensure server configuration is identical Custom modules exist on all servers When You Use Code to Enable Shared Configuration Export the machine keys Copy configuration files to a share Edit redirection.config to enable When You Install Global Filters, Modules or IIS Components Remove a server from the farm to test Add any local dependencies BEFORE you change the shared config!

var config = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminMan ager"); config.CommitPath = "MACHINE/REDIRECTION"; var section = config.GetAdminSection("configurationRedirection", "MACHINE/REDIRECTION"); section.Properties.Item("enabled").Value = true; section.Properties.Item("path").Value = "\\\\somemachine\\share\\folder"; section.Properties.Item("userName").Value = "user"; section.Properties.Item( "password" ).Value = “pass"; config.CommitChanges();

ADSI: IIS 6 Compatibility APPCMD: General purpose command line utility WMI: Improved for Longhorn and IIS7. Microsoft.Web.Administration – Managed API to control state and configuration Powershell: Use with Microsoft.Web.Administraiton and WMI

Create Site Create Virtual Directory Create Application NOT CONSISTENT Set oIIS = GetObject("winmgmts:root\MicrosoftIISv2") ' Create binding for new site Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_ oBinding.IP = "" oBinding.Port = "80" oBinding.Hostname = " ' Create site and extract site name from return value Set oService = oIIS.Get("IIsWebService.Name='W3SVC'") strSiteName = oService. CreateNewSite ("NewSite", array(oBinding), "C:\inetpub\wwwroot") Set objPath = CreateObject("WbemScripting.SWbemObjectPath") objPath.Path = strSiteName strSitePath = objPath.Keys.Item("") Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'") oSite.Start ' Create the vdir for our application Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting"). SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar" oVDirSetting.Path = "C:\inetpub\bar" oVDirSetting.Put_ ' Make the VDir an application Set oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'") oVDir. AppCreate2

Set oService = GetObject("winmgmts:root\WebAdministration") ' Create binding for site Set oBinding = oService.Get("BindingElement").SpawnInstance_ oBinding.BindingInformation = "*:80: oBinding.Protocol = "http" ' Create site oService.Get("Site").Create _ "NewSite", array(oBinding), "C:\inetpub\wwwroot" ' Create application oService.Get("Application").Create _ "/foo", "NewSite", "C:\inetpub\wwwroot\foo" Static Create methods CONSISTENT

ServerManager iisManager = new ServerManager(); foreach(WorkerProcess w3wp in iisManager.WorkerProcesses ) { Console.WriteLine("W3WP ({0})", w3wp.ProcessId); foreach(Request request in w3wp.GetRequests (0)) { Console.WriteLine("{0} - {1},{2},{3}", request.Url, request.ClientIPAddr, request.TimeElapsed, request.TimeInState); } }

With powershell…..

Provides compatibility for: scripts command line tools native calls into ABO Not installed by default Install IIS 6 Compatibility Can only do what IIS6 could do… Can’t read/write new IIS properties Application Pools: managedPipelineMode, managedRuntimeVersion Request Filtering Failed Request Tracing Can’t read/write ASP.NET properties Can’t read/write web.config files Can’t access new runtime data, e.g. worker processes, executing requests applicationHost.config IISADMIN ABOMapper IIS6 ADSI Script

Remote Administration Built in remote administration Access is scoped to roles and delegation Use HTTPS to connect to remote servers Choice of client operating systems Shared Configuration for web farms Automated administration tasks with WMI: for enterprise wide management APPCMD: local, general purpose Microsoft.Web.Administration: integrate into deployment and management programs ADSI: IIS6 compat

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Will cause all application pools to recycle: changes to default settings for all application pools changes to the list Will cause one application pool to recycle: application pool settings Use only RSA machine-encryption (default), replicate RSA machine key Gotcha's: Machine specific data, like IP addresses or drive letters Servers must have same set of modules installed (reference to non-existent module in causes 503's) Assemblies in GAC, certificates, COM+ and other local items

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.