If you have been following the IIS7 series that has been running for the past
few months, you'd have seen that there are tons of new configuration options in
IIS7. All of these can be managed through multiple ways-IIS Manager, the AppCmd
command line, PowerShell scripts and more. This month we take a brief look at
the new configuration architecture and the different ways that an administrator
can use them.
Direct Hit! |
Applies To: Web admins USP: Remotely administer, delegate tasks and replicate Web servers with a breeze Primary Link: www.iis.net Keywords: iis 7 |
In IIS6, a new feature was: moving the metabase (the database that holds the
configuration data of IIS) from a proprietary binary format to an XML based open
format. This allowed admins to change settings by simply writing to a file
called Metabase.xml. However, with the advent of .NET, especially ASP.NET, this
brought on a new set of issues. ASP.NET has its own set of configuration files,
namely machine.config and web.config. Working with different sets of XML files
and their individual configurations suddenly started becoming a little bit
complicated.Enter IIS7. In this version the IIS7 configuration system has been
made compatible with ASP.NET's configuration system. This is how it works:
ApplicationHost.config: This is the IIS7 main configuration file that
contains all the settings for the server as well as for the sites on the server.
It has the same syntax and schema as the ASP.NET configuration.
Machine.config: This is the full configuration file for .NET that
stores all possible values of different configuration directives on this
machine.
Web.config: This is the site/application specific configuration file
that now stores data for both .NET as well as for IIS7.
The Management Options group in IIS7 Manager allows administrators to create shared, delegated and remote configuration options |
Basically, Web.config works like this. It has two sections that deal with two
different sets of configuration data. The system.web section stores the
configuration that has anything to do with ASP.NET while the system.webServer
section stores data for IIS7-both specific to the site or application that the
Web.config belongs to. Now that you have an understanding as to how IIS7 stores
its configuration data, we can take a look at the different ways an
administrator can manage it.
The first way that an administrator can manage the IIS7 server is remotely.
In earlier versions of IIS6 you had a few choices-do a remote desktop, connect
via the IIS MMC over a binary IP protocol or use the IIS Admin website. In IIS7
the last two have been done away with. Instead an administrator can connect to a
site or application remotely over a secure HTTPS connection using IIS Manager.
That is, from a remote machine that has the new IIS Manager installed, you can
connect to a running IIS7 server over a secure HTTP connection. To do this, one
must first install a Windows Server 2008 feature called IIS7 Remote Management
Service. Once this is installed, you will get a new icon within the Management
Options group on the server. Open this icon and turn the Remote Management
option on. You can also change the other settings if you wish. You will need a
digital certificate for the HTTPS connection to the service. IIS7 automatically
creates a new self-signed certificate for each server, however, if you wish you
can also use any other certificate installed on the machine as well. Once the
configurations are done, save the setup and start the service. You can now
connect from any machine running IIS Manager by giving the name of the server,
site or application. Connection options are Windows or IIS credentials. You can
set the latter in the same Management section.
Export the configuration on one server; and enable shared configuration on all servers that you want to have the same settings |
The next thing an administrator can do is to delegate the administration of
certain configuration options to others. For instance, if you're an ISP running
a server with hundreds or thousands of sites, managing each site yourself would
be a pain. Instead, you can delegate certain options to owners of the sites
themselves and they can go ahead and make whatever changes they want.
Change the chosen feature's delegation type by selecting it from the context bar. This will apply to the entire server or to a selected website |
For example, you might want owners to take care of simple options like
Default Document, Logging and Compression, but not want them to change sensitive
ones like SSL, Modules, etc. To do this, at the server level, select Feature
Delegation. In this screen, you will get to see a list of all the features
available on the server. You can select each feature and turn the feature
delegation to one of the following three values:
Not Delegated: The user cannot view or change this particular feature.
The value for the feature is stored in the applicationHost.config file and only
administrators can change it.
Read Only: The user can view but cannot change the value for this
feature. The value is stored within the system.webServer section of the site's
web.config file. Attempts to change the value will result in the site throwing
an exception to anyone trying to reach it.
Read/Write: The feature is fully delegated and the user can change the
value to any valid option. The setting is stored as in the 'Read Only' option
but is writable.
Now when a user connects to his site with either Windows or IIS Manager
credentials, depending upon the delegations configured on the server, he will be
able to see only the last two types of features for his site and make changes
only to the last type.
Finally, administrators can quickly scale out their Web server into multiple
machines with minimal effort. In earler versions to ensure that servers run the
same configuration, one had to setup complicated replication policies. In IIS7,
however, administrators can use what is known as Shared Configuration. To do
this, simply select the icon from the management section on the server that has
the configuration setup as you wish. Now in the context bar, click 'Export
Configuration...' In the dialog that pops up, you can select a path to store the
configuration to. If this is a UNC network share you can give the credentials to
connect to it. You also need to give a strong password for encrypting the
exported configuration.
Once the export is done, on all the servers that need to share the
configuration-including the one that you just exported the configuration from-
turn on the option that says 'Enable Shared Configuration' and give it the path
where the files were stored with the appropriate credentials. Now if you make
configuration changes on any server, it will immediately apply on all other
servers as well since the configuration files are actually being shared.
As you can see, IIS7 has a number of new configuration options that
administrators can use to make their life easier and make the management of
servers, sites and applications much more efficient and secure.
Vinod Unny, Enterprise Infotech