Internet Information Services (IIS) Doomsday Plan … · Internet Information Services (IIS) Doomsday Plan Vandana Pandey. IIS 6.0 : Back Up and Restore ... Install Debug Tools and

Internet Information Services (IIS)

Doomsday Plan

Vandana Pandey

IIS 6.0 : Back Up and Restore

� In IIS 6.0, We need to take back of IIS with password and then copy the files ‘Metabase.xml’ and

‘MBSchema.xml’ to some other location.

� Please copy the following folders completely and make it a part of daily or weekly backup

� %windir%\system32\inetsrv\MetaBack

� %windir%\system32\inetsrv

� C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

� Ensure that the above folders are backed up during the System backup every week.

Manual BackupWindows\system32\inetsrv\Metaback

Automatic HistoryWindows\system32\inetsrv\History

IIS 6.0 : Back Up and Restore Steps

Following are the steps of how to take backup with password.

BACKUP of IIS 6.0:To create a portable backup (password required)

1. In IIS Manager, right-click the local computer, point to All Tasks, and click Backup/Restore

Configuration.

2. Click Create Backup.

3. In the Configuration backup name box, type a name for the backup file.

4. Select the Encrypt backup using password check box, type a password into the Password box, and then type the same password in the Confirm password box.

5. Click OK, and then click Close.

RESTORING of IIS 6.0:To restore an IIS metabase backup

1. In IIS Manager, right-click the local computer, point to All Tasks, and click Backup/Restore

Configuration.

2. In the Backups list, click the backup you want to restore and click Restore.

Note: If you want to restore IIS to its initial configuration, restore the backup named

Initial Backup (created automatically by IIS setup).

3. Read the message that appears and click Yes if you want to continue.

4. If you are restoring a secure backup, you are prompted for the password you typed when the

backup was created. Type the password and click OK. Note that passwords are case sensitive.

5. Click OK.

IIS 7.5 : Back Up and Restore Steps

� To backup configuration, run the follow command:� > %windir%\system32\inetsrv\appcmd.exe add backup "My Backup Name“

� To restore that backup, run this command� > %windir%\system32\inetsrv\appcmd.exe restore backup "My Backup Name“

� To delete a backup, run this command:� > %windir%\system32\inetsrv\appcmd.exe delete backup "My Backup Name“

� IIS will automatically make history snapshots of ApplicationHost.config each time a change

is detected, enabling you to easily restore to a prior version.

� By default, IIS checks for a new version every 2 mins, and will keep 10 prior versions

of the file. IIS7 stores these snapshots in the %systemdrive%\inetpub\history folder

by default.

IIS service Start up issues

IIS Admin Service Start-Up issues

IISAdmin Role How to trace IIS ADMIN SERVICE??How to Process IIS Admin Trace Log Files Using Trace Report

In IIS 6.0, the IIS Admin

Service loads the primary

configuration file for IIS

sites, called the IIS

MetaBase.xml file, and

related in-memory

configuration services.

The IIS Admin service also

loads the following:

� The File Transport

Protocol (FTP) service

� The Network News

Transport Protocol

(NNTP) service

� The Simple Mail

Transfer Protocol

(SMTP) service

Use the following procedure to trace the IIS Admin service if

the service fails to startup or shutdown. IIS Admin tracing

uses the following parameters:

To trace the IIS Admin service:

� From a command prompt, type logman start session name

-p “IIS: IISADMIN Global”(startup,shutdown) -ets and press

ENTER.

For example: logman start IISAdminTrace -p “IIS: IISADMIN Global” (startup,shutdown) -ets

� Event Tracing for Windows prints to the screen details

about the trace session you just started, including the

name of the session, the file name where the trace data

will be collected (session name.etl by default), and

whether or not the command was successful.

� If necessary, start or stop the IIS Admin service

(depending on the nature of the problem you are trying to

troubleshoot). Type net stop IIS Admin or net start IIS

Admin and press ENTER.

� Allow the trace session to run until you have reproduced the problem.

� From the command prompt, type logman stop session name -ets and press ENTER.

IIS Admin trace data is written in binary format

to a trace log (filename.etl). To view the trace

data, the log file must be processed using the

Trace Report tool that ships with Windows Server

2003.

To process and view an IIS Admin trace log1. Open a command prompt and navigate to the

directory where your IIS Admin trace log .etl file

is stored.

2. Type tracerpt filename.etl and press ENTER. Trace Report processes the .etl file and

creates two new files in the directory where you

executed this command: summary.txt and

dump.csv.

3. To view the file, type notepad dump.csv and

press ENTER.

IIS 5 & 5.1 Metabase Corruption issue

SYMPTOMS REASONS SOLUTION

o Unable to

Enum

(Enumerate)

on the

W3SVC key

o On IIS 5.0 &

5.1->

C:\Inetpub\

AdminScript

s>cscript

adsutil.vbs

enum_all

o If we get error

by running the

command on

IIS 5.0 or IIS

5.1-> it means

that

Metabase.bin

file is corrupt.

� Try restoring the back-up from Old backups or Initial backup.

(Always preferred to have backups taken with password)

� If we are unable to restore backup from OLD backups or Initial

backup then please check the following

o Please check the permission on MachineKeys folder found

in location - C:\Documents and Settings\All

Users\Application

Data\Microsoft\Crypto\RSA\MachineKeys

o Follow the article -

http://support.microsoft.com/kb/278381 and ensure that

MachineKeys folder has appropriate permission.

o Check if we have multiple C23 Keys in the MachineKeys

folder.

o For ex., If this is C23 MachineKey

c2319c42033a5ca7f44e731bfd3fa2b5_8b906d95-

1bf2-4c4c-8bc5-ae4bb414fe16

c2319c42033a5ca7f44e731bfd3fa2b5 ->Actual Key

8b906d95-1bf2-4c4c-8bc5-ae4bb414fe16 -> Machine GUID

(This is unique for each box)

IIS 5 & 5.1- Metabase Corruption issueRESTORING IIS CONFIGURATION FROM BACK-UP files

� If the machine is not changed then re-installing IIS and restoring the old Metabase should be

attempted first.

� If the above step fails

� Backup your local metabase on your Windows 2003 or Windows XP machine.

� Open the Metabase.bin file in Metabase Explorer (http://www.microsoft.com/en-

us/download/details.aspx?id=17275) on a Windows 2003 or Windows XP machine

� Rename the existing W3SVC and other required keys on your local machine.

� Copy the W3SVC and all the required keys from customer's metabase on to the local

metabase under the LM key.

� Open the MetaEdit tool (http://support.microsoft.com/kb/301386 ) on the same Win2003

or WinXP box and then select the W3SVC and other keys that you copied and use the export

option in the file menu and export to a text file.

� Repeat the above step for all the keys that you have copied and close the MetaEdit tool

� Come back to your Metabase Explorer and delete the customer's keys that you have copied

� Rename your local Metabase entries back to the way they were.

� Then you can do an IISReset

IIS 6.0 Corruption issue

Steps to recover IIS 6.0

� Check the history folder [systemroot\System32\Inetsrv\History] and the

Metaback folder [systemroot\System32\Inetsrv\MetaBack] under INETSRV for

any backups that are automatically taken.

� If you find the files in history folder

� Rename the latest Metabase_XXXXXXXX_XXXXXXX.xml file to

Metabase.xml

� Rename the MBSchema_XXXXXXXXX_XXXXXXXX.xml file to MBSchema.xml

� Copy the above two files to the InetSrv and try to start the services.

� If you want to manually copy the entries then make sure you are not copying

the ADMINACL sections.

IIS Performance issues

� Identify whether the issue hang or crash from the event logs

� Crash Issue

� You will find Event ID 37 or Event ID 7031 in System event logs in IIS 5

� If IIS6 you should see Event ID 1009.

� Check for "Unexpectedly terminated" for worker processes or DLLHost or Inetinfo in

the system event logs

� Install Debug Tools and capture the crash dumps

� Heap Corruption

� If initial set of dumps reveal heap corruption, Enable Page Heap using Debug Diag tool

and capture another set of crash dumps


Hang Issue

� Check if the CPU is spiking or the pages are just hung without displaying any content

� Check if the memory is spiking along with CPU

� To Capture performance monitor logs

� Get the event viewer logs and W3svc logs from customer

Memory Leaks

� Install the debug diag tool to capture the memory leak dumps.

� Configure the tool to capture Memory Leak dumps at different interval.

Troubleshooting IIS Performance issues

Debugging Tools For Windows (ADPLUS):

http://support.microsoft.com/kb/286350

Description Commands

For monitoring all IIS Process for

Crash

CScript ADPlus -crash -iis

For monitoring a specific process ID

for Crash

CScript ADPlus -crash –p <PID>

For monitoring all the IIS processes

for Hang

Cscript ADPlus -hang

For monitoring a specific process ID

for hang

Cscript ADPlus -hang -p <PID>


Debug Diagnostics Tool:

� You can download and install the tool from the following location

http://www.microsoft.com/en-in/download/details.aspx?id=26798

� Runs as service.

� GUI based tool to configure and capture dumps for Crash/Heap

Corruptions/Hang/Memory Leak.

� This tool can analyze the dumps if connected to internet using public symbols

Tools available by default on the box:

� NTSD & DrWatson- debugging tools available by default on the box

� Run drwtsn32 from command prompt or Run menu

� Run NTSD from command prompt or Run menu

Authentication Issues.

Anonymous Authentication:

� IUSR_Machine by default.� Can be configured to custom identity� 401.1 when the IUSR goes out of sync� Articles

o For IIS5 - http://support.microsoft.com/kb/271071o For IIS6 - http://support.microsoft.com/kb/812614o For Troubleshooting ASP in IIS5 - http://support.microsoft.com/kb/309051o Listing adsutil commands to use for IUSR and IWAM -

http://support.microsoft.com/kb/297989� Tool to use

� Netmon� Filtering HTTP traffic.� Filtering only GET requests and Response based on Status Codes

� AuthDiag� Process Monitor for any access denied entries

� Set the appropriate NTFS or Registry permissions. On Windows 2000 use regedt32 to set permission on registry.

� HTTP keep Alives


Basic Authentication:

� Password is sent in clear text, which means it is Base-64 encoded

� SSL is recommended to be used.

� Browser authenticates using anonymous first and then get the

authentication headers – ‘WWW-Authenticate Header’. Browser sends

credentials and authenticates.

� "\" will authenticate users on to all the domains.

� In IIS6, you can specify the Realm (Security Principals Zone)


Troubleshooting Integrated Authentication:

� Best suited for Intranet purpose

� Over internet, Integrated Authentication is not supported as proxies and

firewall block the Integrated requests

� Integrated Authentication includes both Kerberos and NTLM.

� Metabase values are NTAuthenticationProviders. Default value

"Negotiate,NTLM"

� Cscript adsutil.vbs get W3SVC/NTAuthenticationProviders.

� NTLM supports only one hop between client and server

IIS Authentication Issues.

Troubleshooting Kerberos Authentication:

� Communication between client and server using session tickets

� Client contact the KDC

� AS Exchange - Client gives the authenticator to the AS exchange

� Client gets the TGT. Clients copies the session key to communicate with TGS,

as a response from AS exchange

� TGS Exchange - Client sends the authenticator (encrypted with Session Key)

and TGT to the TGS

� Client gets the ticket and session key to communicate with CS Exchange

� Client presents the ticket to the server along with authenticator encrypted

with session key obtained from TGS

� Communication continues with the Server.

� Computer (on IIS5) or Computer/Specific Service (on IIS6) needs to be delegated


Troubleshooting Kerberos Authentication – Contd.,

� SPN's must be properly

� Can use SETSPN, Kerbtray and KList to troubleshoot kerberos.

� Netmon tool can be see the Kerberos traffic.

� Before starting Netmon capture, purge all the available tickets on the client

machine

� Account under which the SQL Server is running must be trusted for delegation

� Account that is trying to access the IIS server i.e. Clients accounts must not be

set for Account is sensitive and cannot be delegated.

� Enable security auditing (Local Security Policy) on the IIS server to check for

security events.

� On client computers IE option "Enable Integrated Windows Authentication" must

be checked.


Digest Authentication:

On Windows Server 2000 server if option is disabled check

� Whether MD5filt ISAPI filter is loaded or not. Add the md5filt.dll as ISAPI filter if

not found in list.

� Verify in the AD if the account is set to "Store Passwords in reversible encryption"

and then reset password for the user.

� If server is IIS5 and DC is 2003 then run the command on the 2003 DC

� rundll32 iissuba.dll,RegisterIISSUBA


Configuring Subauthentication on a New Installation of IIS 6.0 (IIS 6.0): Digest Authentication:

On Windows Server 2000 server if option is disabled check

� Whether MD5filt ISAPI filter is loaded or not. Add the md5filt.dll as ISAPI filter if

not found in list.

� Verify in the AD if the account is set to "Store Passwords in reversible encryption"

and then reset password for the user.

� If server is IIS5 and DC is 2003 then run the command on the 2003 DC

� rundll32 iissuba.dll,RegisterIISSUBA


Digest Authentication - Configuring Subauthentication on a New Installation of IIS 6.0 (IIS 6.0):

• By default, after installing Windows Server 2003 and IIS 6.0, IIS runs in worker process

isolation mode and subauthentication is disabled.

• Subauthentication is disabled when the AnonymousPasswordSync Metabase Property is set

to false.

• To enable anonymous password synchronization, ensure that your system meets the

following requirements:

� The subauthentication component, Iissuba.dll, must be registered.

At the command prompt, type the following and then press ENTER:

rundll32 %systemroot%\system32\iissuba.dll,RegisterIISSUBA

� The application pool of the Web site runs as the LocalSystem user account. However,

running as the LocalSystem user account might be a security risk because it allows

the worker process full access to the entire system.

� The AnonymousPasswordSync metabase property must be enabled (set to true).


Digest Authentication - Configuring Subauthentication in a Windows 2000 Domain (IIS 6.0)

To use Digest authentication in IIS 6.0 when the domain controller is running Windows 2000

Server, you must enable subauthentication, which is not installed by default on IIS 6.0. There

are three steps required to enable subauthentication:

� Register the subauthentication component, Iissuba.dll.

At the command prompt, type the following and then press ENTER:

rundll32 %systemroot%\system32\iissuba.dll,RegisterIISSUBA

� Set the UseDigestSSP Metabase Property to false.

� Set the identity of the application pool to LocalSystem.

IIS Authentication Issues

Digest Authentication - Advanced Digest Authentication in IIS 6.0 (IIS 6.0)

� Under Advanced Digest authentication, user credentials are stored on the domain

controller as an MD5 hash. Because credentials are stored in Active Directory as an MD5

hash, user passwords cannot be feasibly discovered by anyone with access to the domain

controller, not even by the domain administrator.

� Advanced Digest authentication is available to Web Distributed Authoring and Versioning

(WebDAV) directories.

� In IIS 6.0, Advanced Digest authentication is preferred over Digest authentication, but

Digest authentication is still available. Advanced Digest authentication relies on the HTTP

1.1 protocol.

� Configuring Advanced Digest authentication on the server running IIS requires the following

three tasks:

� Enable Digest authentication for Windows domain servers.

� Configure the realm name.

� Set the UseDigestSSP metabase property to true. You can configure the UseDigestSSP

metabase property at the W3SVC level of the metabase. A child key inherits its

configuration from the level above it.

HTTP.SYS Troubleshooting Tips

� HTTP.SYS will log any errors it returns to the httperrx.log file. This can be

especially useful in troubleshooting “Service Unavailable” errors

� Definitions of the reason codes can be found in


� Common HTTP.SYS registry settings for use with IIS are listed in


� IISReset will not restart HTTP.SYS. To stop/restart this driver, you can use

� net stop http

� net start http

Checklist

End of Life Middleware Product Recoverability PlanBackup taken? Frequency Location

BACKUP

� Entire Windows box Yes Daily/Weekly

<<Should always be

data drive on IIS servers

or some other shared

drive on the network>>

� For IIS 6.0, has the file - 'Metabase.xml' and MBSchema.xml

backed up? You can find those files in -

'C:\WINDOWS\system32\inetsrv‘Yes Weekly

� For IIS 6.0, has the backup with Password been taken for

entire IIS from IIS Console? Set the password same as the

hostname (in lower case).

Yes Weekly

� For IIS 5.0/IIS 6.0, take the backup of the MachineKeys folder

– ‘C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys’ folder?

Yes Weekly

� For IIS 7.5 -> Configuration files found in location -

'C:\WINDOWS\system32\inetsrv\Config' folder should be backed up.

Yes Weekly

� For IIS 7.5 -> Please backup the entire inetsrv folder itself - >

found in location 'C:\WINDOWS\system32\inetsrv'Yes Weekly

What is the back up policy for all files/folders associated with IIS?

Checklist

End of Life Middleware Product Recoverability PlanRestore done? Frequency Location

RESTORE

� Is IIS checked by RESTORING the above backup, which are

taken for respective technologies?

Yes Monthly

� At what frequency is the IIS restorability test doneYes Weekly

� Is the older version software installables available for the

Middleware product? ( in case re-install is required) .If yes

please provide the location with details.

YesOne time

activity.

<<Provide the Location

details>>

What is the restore policy for all files/folders associated with IIS?

Thank You