This is the main presentation on Remote administration Centralized Configuration Command line and...
-
Upload
maximilian-garrison -
Category
Documents
-
view
222 -
download
0
Transcript of This is the main presentation on Remote administration Centralized Configuration Command line and...
IIS7 Administration•Remote Administration•Shared Configuration•Scripted Administration
Remote AdministrationIIS Manager has built in remote administration capabilitiesTerminal Services or Admin web site not requiredClients are IIS Manager from XP, 2003, Vista and Longhorn Custom addins are downloaded to remoteUses the WMSVC service (Windows Service)Requires Management
Service be installed in Server Manager
Remote Service by WMSVCEnable in the IIS ManagerTurned off by DefaultEssentially a web application running on a standalone serverRuns as Local Service (NT Service\WMSVC)
If using UNC content, you need to run as identity with UNC access
Startup is set to ManualChange to automatic to enable on rebootsc config WMSVC start= auto
Enforces HTTPS
Remote Configuration OptionsType of User (Windows or IIS Manager)
ConnectionsCan be bound to a specific IPConfigurable port for listening
Set to 8172 by defaultWhen connecting specify port using <machine>:<port> (e.g. myserver:5050)
Logging can be turned on/off and log directory can be modified
Certificate for SSL is preinstalledIP and Domain restrictions
Ability to restrict connections to specific IP address/domainsAbility to block specific IP address/domains
Log files
Logs all HTTP connections to the WMSvc serviceLogs stored at:
<os drive>:\inetpub\logs\wmsvcUseful for auditingW3SVC log file formatService errors visible in event viewer (eventvwr.exe)
Installing the Remote Admininstration Service
demo
Control is Scoped to RoleAdministrators:
Control entire web server remotelyNon-administrators:
Identity stored as Windows Users or “IIS Manager Users”Control of sites/applications
DevelopersSite ownersApplication owners
Administrator decides what the user can view/change with Feature Delegation
Remote Windows Users
Only Administrator can connect to server node
Can see all settings and connect to other nodesDoes not need explicit permissions
If Remote Administration is enabled, a server administrator can log in.
Non-admins can connect to sites and apps
Explicit permission requiredContent can be ACL’d for greater security
Remote IIS Manager UsersCreated in the IIS Manager
Only used by WMSVC and Admin UINot used by any other IIS componentsDOES NOT map to Windows users
Stored in administration.config by defaultUses an IIS Authentication ProviderAuthentication provider be replaced by custom authentication provider, e.g. One which stored authentication info on SQL Server.
Only used for site/application connections
Authorizing Users for Remote Administration
demo
•Creating IIS Manager Users•Site/Application Permissions•Authorizing Access•Connecting to Sites
Remote Admin and Delegation
Remote users can only edit delegated featuresChanges are written to web.configMost features shown by defaultNon-delegated features can be hidden from remote userAllows creation of custom UI for remote users
Connection Scope and ConfigConnection Users who can connect Configuration
Scope(Where config changes go)
Server Windows Administrators applicationHost.config
Site Windows AdministratorsWindows UsersIIS Manager Users
web.config
Application Windows AdministratorsWindows UsersIIS Manager Users
web.config
Customizing theIIS Manager for Remote Users
demo
Shared Configuration
Designed for web farm scenario from the startMultiple servers to share a single configuration fileUNC share is created for master configWhen configured, servers direct config requests to share locationA local or domain user is specified as identify for remote access
Shared Config Setup
Export Settings using IIS Manager Shared Config featureCreate identical local user [Configuser] on all web servers (or use a domain account)
Assign user the right “Log on as a batch job”
Create a share for config filesShare permissions are [Configuser] ChangeACLS are [Configuser] Read
Place config files in UNC pathEdit redirection.config
Shared Config Limits
Designed to work in homogeneous farmPotential issues adding new components to IISPotential issues extending configurationFarm story still a work in progress
Shared Configuration
demo
Automating IIS 7 Adminsitration
ADSI: IIS 6 CompatibilityAPPCMD: General purpose command line utilityWMI: Improved for Longhorn and IIS7. Microsoft.Web.Administration – Managed API to control state and configurationPowershell: Use with Microsoft.Web.Administraiton and WMI
Using APPCMD
demo
Scripting: IIS6 WMI Provider
Create Site
Create Virtual Directory
Create Application
NOT CONSISTENTSet oIIS = GetObject("winmgmts:root\MicrosoftIISv2")
' Create binding for new siteSet oBinding = oIIS.Get("ServerBinding").SpawnInstance_oBinding.IP = ""oBinding.Port = "80"oBinding.Hostname = "www.site.com"
' Create site and extract site name from return valueSet oService = oIIS.Get("IIsWebService.Name='W3SVC'")
strSiteName = oService.CreateNewSite("NewSite", array(oBinding), "C:\inetpub\wwwroot")
Set objPath = CreateObject("WbemScripting.SWbemObjectPath") objPath.Path = strSiteNamestrSitePath = objPath.Keys.Item("")
Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'")oSite.Start
' Create the vdir for our application
Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting").SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar" oVDirSetting.Path = "C:\inetpub\bar" oVDirSetting.Put_
' Make the VDir an applicationSet oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")
oVDir.AppCreate2
Scripting: new WMI Provider
Set oService = GetObject("winmgmts:root\WebAdministration")
' Create binding for siteSet oBinding = oService.Get("BindingElement").SpawnInstance_oBinding.BindingInformation = "*:80:www.site.com"oBinding.Protocol = "http"
' Create site oService.Get("Site").Create _ "NewSite", array(oBinding), "C:\inetpub\wwwroot"
' Create application oService.Get("Application").Create _ "/foo", "NewSite", "C:\inetpub\wwwroot\foo"
Static Create methods
CONSISTENT
Coding: Microsoft.Web.AdministrationServerManager iisManager = new ServerManager();
foreach(WorkerProcess w3wp in iisManager.WorkerProcesses) { Console.WriteLine("W3WP ({0})", w3wp.ProcessId); foreach(Request request in w3wp.GetRequests(0)) { Console.WriteLine("{0} - {1},{2},{3}", request.Url, request.ClientIPAddr, request.TimeElapsed, request.TimeInState); }}
Using Microsoft.Web.Administration
demo
With powershell…..
Compatibility: ABO MapperProvides compatibility for:
scriptscommand line toolsnative calls into ABO
Not installed by defaultInstall IIS 6 Compatibility
Can only do what IIS6 could do…Can’t read/write new IIS properties
Application Pools: managedPipelineMode, managedRuntimeVersionRequest Filtering Failed Request Tracing
Can’t read/write ASP.NET propertiesCan’t read/write web.config filesCan’t access new runtime data, e.g. worker processes, executing requests
applicationHost.config
IISADMIN
ABOMapper
IIS6 ADSI Script
SummaryRemote Administration
Built in remote administrationAccess is scoped to roles and delegationUse HTTPS to connect to remote serversChoice of client operating systems
Shared Configuration for web farmsAutomated administration tasks with
WMI: for enterprise wide managementAPPCMD: local, general purposeMicrosoft.Web.Administration: integrate into deployment and management programsADSI: IIS6 compat
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Additional Information
Replicating applicationHost.config
Will cause all application pools to recycle:changes to default settings for all application poolschanges to the <globalModules> list
Will cause one application pool to recycle:application pool settings
Use only RSA machine-encryption (default), replicate RSA machine key
http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx
Gotcha's:Machine specific data, like IP addresses or drive lettersServers must have same set of modules installed (reference to non-existent module in <globalModules> causes 503's)Assemblies in GAC, certificates, COM+ and other local items
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date
of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.