Getting Started with IIS 7.0 • Chapter 12 687 Figure 12.7 IIS 6.0 Metabase ■ Managing Worker Processes Managing worker processes includes starting, maintaining information, recycling, and the time to restart them. Inetinfo.exe A user mode component, Inetinfo.exe hosts the IIS metabase, FTP, SMTP, and NNTP services. It depends on the IIS Admin service to host the metabase. Where the Metabase Took Us … and Fell Short The metabase in IIS is a hierarchical structure used for storing confi guration information. It was introduced in IIS 4.0 as a replacement for storing confi guration information in the registry. The metabase was improved in IIS 6.0, fi rst by formatting it into a text fi le using XML, and then by allowing it to be edited while running. One of the metabase’s shortcomings is that it is diffi cult to read and diffi cult to locate exactly what you’re looking for. The old metabase supported outdated interfaces such as Admin Base Objects (ABOs). It also incorporated its own access control lists (ACLs); therefore, it does not use the existing ACLs from the fi le system. This made it very diffi cult to maintain. Putting in or extending the metabase schema was incredibly diffi cult. Figures 12.7 and 12.8 show both metabase.xml and mbschema.xml. Notice how diffi cult it would be to fi nd something specifi c in either fi le. 688 Chapter 12 • Getting Started with IIS 7.0 Metabase backup provided a way to ensure that restoration could take place in case of corruption or if a server crashed. Although effective, the tools used in backing up the metabase in IIS 6.0 were quite old. It was not uncommon to back up the metabase and store it remotely by creating a common batch fi le. Using both xcopy.exe and iisback.vbs, one could automate the backup process. To run a script to conduct the backup, a user or IIS administrator had to be a member of the local Administrators group of the computer where they were backing up the metabase. Figure 12.9 is an example of what might be in a batch fi le that would use both xcopy.exe and iisback.vbs to back up the metabase. Figure 12.8 IIS 6.0 Schema Figure 12.9 Example of Backup Batch File set server=servername set name=%date%-%server% iisback /backup /b %name% /e %password% xcopy %windir%\system32\inetsrv\metaback\%name%.*… \\backupserver\share$\server% xcopy /o /x /e /h /y /c c:\web \backupserver\share$\%server% Another method of backing up the metabase in IIS 6.0 was through the IIS Manager, which would let an administrator save a copy of the metabase by right-clicking Web Sites and selecting All Tasks | Save Confi guration to a File. You would then provide a fi lename and path for the backup. IIS 6.0 then created a machine key to encrypt some metabase parts in this fi le. This method then limited the backup to only being restored on the machine where it was originated. To be able to use a backup conducted in this manner on a separate machine, required the administrator to select Getting Started with IIS 7.0 • Chapter 12 689 the Encrypt confi guration using password check box, which then substituted a password that the administrator created for the place of the machine key that was typically created. This was very easy to overlook. Administration: A Review IIS 6.0 administration was primarily done in the user interface with IIS Manager. Very limited in remote capabilities, administrators were required to loosen the network security settings for Distributed Component Object Model (DCOM) so that true remote administration could take place. If remote administration was required and the traffi c had to go through a fi rewall, administrators had to open TCP 135, thereby creating another security risk. Finally, IIS Manager dealt with administration at a high-level via category-based tabs, not task-oriented, which is more detailed, less error prone, and easier to confi gure. For instance, Web site security is exposed via the “Directory Security” tab as shown in Figure 12.10. This shows the lack of task-oriented security and the overall lack of organization available in IIS Manager. Figure 12.10 Web Sites Security in IIS Manager 690 Chapter 12 • Getting Started with IIS 7.0 Another tool for administering IIS 6.0 was the use of adsutil.vbs. This utility used VBScript along with Active Directory Services Interfaces (ADSI), to modify an IIS confi guration. One of the pitfalls with using adsutil.vbs was that fi rst there was no ability to delegate to users, and thus you really couldn’t do so without increasing security risks. Adsutil.vbs used old technology (ADSI); Microsoft is encouraging administrators to use WMI instead since the release of Windows Server 2003. Microsoft included eight different scripts that used WMI to help administrators manage IIS. The problem was that learning what eight different scripts did and how they made things more “simple” was counterproductive. IIS 7.0 remedies this with the implementation of Appcmd.exe. The following are the eight scripts that administrators needed to know: ■ iisapp.vbs Lists Web applications running on an IIS machine ■ iisback.vbs Backs up, restores, lists, and deletes IIS confi gurations ■ iisCnfg.vbs Exports and imports IIS confi gurations as XML fi le, able to copy confi gurations and save them to disk ■ iisext.vbs Enables and lists applications; adds and removes application dependencies; enables, disables, and lists Web service extensions; adds, removes, enables, disables, and lists Web service extension fi les ■ iisFtp.vbs Creates, deletes, starts, stops, and lists FTP sites, and confi gures Active Directory user isolation for FTP sites ■ iisFtpdr.vbs Creates and deletes virtual directories within FTP sites, and displays the virtual directories within a given root ■ iisvdir.vbs Creates and deletes virtual directories within Web sites, and displays the virtual directories within a given root ■ iisweb.vbs Creates, deletes, starts, stops, and lists Websites Troubleshooting Failed Requests with IIS 6.0 Regardless of the product and the manufacturer, troubleshooting is a fact of life and a skill that improves with experience and time. IIS 6.0 improved its diagnostics capabilities from earlier versions. Still, most of the utilities used for troubleshooting were add-on tools that were not part of IIS 6.0 itself, but provided by the operating system itself or were available for download. The following is a list of tools or built-in features used for troubleshooting problems with IIS 6.0: ■ WFetch.exe Used for troubleshooting HTTP connections. Can display the headers in HTTP Requests and HTTP Response packets sent between a client and a server. ■ File Monitor (FileMon.exe) Used for viewing and capturing fi le system activity in real time. Getting Started with IIS 7.0 • Chapter 12 691 ■ Registry Monitor (RegMon.exe) Similar to File Monitor except that it is used for viewing and capturing registry activity in real time. ■ IIS Request Monitor Captures information about HTTP requests in IIS worker processes; good for isolating and understanding problems when worker processes become slow or unresponsive. ■ Secure Sockets Layer Diagnostic Tool (SSLDiag) Useful in identifying confi guration problems in the metabase, certifi cates, or certifi cate stores when running Web sites that use SSL. ■ Authentication and Access Control Diagnostics (authdiag.exe) Provides the ability to review, test, and correct problems or issues with authentication and authorization. ■ IIS Enterprise Tracing for Windows New in Windows Server 2003, this tool allows you to trace HTTP requests as they move through various components in the server architecture. ■ Network Monitor A network tracing tool that allows you to view activity on the network. ■ System Monitor Formerly known as Performance Monitor in Windows 2000, this tool helps you to view and collect system performance data. ■ HRPlus Provides error lookup functionality. ■ Microsoft Debugging Tools for Windows Used in debugging and diagnosing application problems. As can be seen, IIS 6.0 has numerous add-on tools that were quite effective in troubleshooting problems. One feature that was expanded in service pack 1 (SP1) of Windows Server 2003 was Enterprise Tracing for Windows (ETW). ETW works by implementing tracing providers used for debugging and capacity planning. It implements these providers to track HTTP requests as they move through IIS components. For instance, if an ISAPI fi lter causes a delay or the hanging of an HTTP request, ETW can help determine which ISAPI fi lter is at fault. Conducting an ETW tracing session can be quite cumbersome. It involves everything from obtaining each provider’s Globally Unique Identifi er (GUID), specifying fl ags and levels in a text fi le, starting the tracing session that held numerous switches, and fi nally generating the tracing report. The following is an example of a command that starts up the tracing process; notice all the parameters and switches. Once the tracing report was created it was usually diffi cult for administrators and developers to pinpoint the cause of the failure. logman start iis_trace –pf iis_ providers.guid -ets Basically, tracing in IIS 6.0 through ETW was diffi cult because it didn’t provide a user interface, it was very diffi cult to restrict to certain extensions or paths, and it was not extensible so developers could not write custom events. . restores, lists, and deletes IIS confi gurations ■ iisCnfg.vbs Exports and imports IIS confi gurations as XML fi le, able to copy confi gurations and save them to disk ■ iisext.vbs Enables and lists. deletes, starts, stops, and lists FTP sites, and confi gures Active Directory user isolation for FTP sites ■ iisFtpdr.vbs Creates and deletes virtual directories within FTP sites, and displays the. Enables and lists applications; adds and removes application dependencies; enables, disables, and lists Web service extensions; adds, removes, enables, disables, and lists Web service extension