Internet Information Services (IIS) Doomsday Plan Vandana Pandey
Internet Information Services (IIS)
Doomsday Plan
Vandana Pandey
IIS 6.0 : Back Up and Restore
� In IIS 6.0, We need to take back of IIS with password and then copy the files ‘Metabase.xml’ and
‘MBSchema.xml’ to some other location.
� Please copy the following folders completely and make it a part of daily or weekly backup
� %windir%\system32\inetsrv\MetaBack
� %windir%\system32\inetsrv
� C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
� Ensure that the above folders are backed up during the System backup every week.
Manual BackupWindows\system32\inetsrv\Metaback
Automatic HistoryWindows\system32\inetsrv\History
IIS 6.0 : Back Up and Restore Steps
Following are the steps of how to take backup with password.
BACKUP of IIS 6.0:To create a portable backup (password required)
1. In IIS Manager, right-click the local computer, point to All Tasks, and click Backup/Restore
Configuration.
2. Click Create Backup.
3. In the Configuration backup name box, type a name for the backup file.
4. Select the Encrypt backup using password check box, type a password into the Password box, and then type the same password in the Confirm password box.
5. Click OK, and then click Close.
RESTORING of IIS 6.0:To restore an IIS metabase backup
1. In IIS Manager, right-click the local computer, point to All Tasks, and click Backup/Restore
Configuration.
2. In the Backups list, click the backup you want to restore and click Restore.
Note: If you want to restore IIS to its initial configuration, restore the backup named
Initial Backup (created automatically by IIS setup).
3. Read the message that appears and click Yes if you want to continue.
4. If you are restoring a secure backup, you are prompted for the password you typed when the
backup was created. Type the password and click OK. Note that passwords are case sensitive.
5. Click OK.
IIS 7.5 : Back Up and Restore Steps
� To backup configuration, run the follow command:� > %windir%\system32\inetsrv\appcmd.exe add backup "My Backup Name“
� To restore that backup, run this command� > %windir%\system32\inetsrv\appcmd.exe restore backup "My Backup Name“
� To delete a backup, run this command:� > %windir%\system32\inetsrv\appcmd.exe delete backup "My Backup Name“
� IIS will automatically make history snapshots of ApplicationHost.config each time a change
is detected, enabling you to easily restore to a prior version.
� By default, IIS checks for a new version every 2 mins, and will keep 10 prior versions
of the file. IIS7 stores these snapshots in the %systemdrive%\inetpub\history folder
by default.
IIS service Start up issues
IIS Admin Service Start-Up issues
IISAdmin Role How to trace IIS ADMIN SERVICE??How to Process IIS Admin Trace Log Files Using Trace Report
In IIS 6.0, the IIS Admin
Service loads the primary
configuration file for IIS
sites, called the IIS
MetaBase.xml file, and
related in-memory
configuration services.
The IIS Admin service also
loads the following:
� The File Transport
Protocol (FTP) service
� The Network News
Transport Protocol
(NNTP) service
� The Simple Mail
Transfer Protocol
(SMTP) service
Use the following procedure to trace the IIS Admin service if
the service fails to startup or shutdown. IIS Admin tracing
uses the following parameters:
To trace the IIS Admin service:
� From a command prompt, type logman start session name
-p “IIS: IISADMIN Global”(startup,shutdown) -ets and press
ENTER.
For example: logman start IISAdminTrace -p “IIS: IISADMIN Global” (startup,shutdown) -ets
� Event Tracing for Windows prints to the screen details
about the trace session you just started, including the
name of the session, the file name where the trace data
will be collected (session name.etl by default), and
whether or not the command was successful.
� If necessary, start or stop the IIS Admin service
(depending on the nature of the problem you are trying to
troubleshoot). Type net stop IIS Admin or net start IIS
Admin and press ENTER.
� Allow the trace session to run until you have reproduced the problem.
� From the command prompt, type logman stop session name -ets and press ENTER.
IIS Admin trace data is written in binary format
to a trace log (filename.etl). To view the trace
data, the log file must be processed using the
Trace Report tool that ships with Windows Server
2003.
To process and view an IIS Admin trace log1. Open a command prompt and navigate to the
directory where your IIS Admin trace log .etl file
is stored.
2. Type tracerpt filename.etl and press ENTER. Trace Report processes the .etl file and
creates two new files in the directory where you
executed this command: summary.txt and
dump.csv.
3. To view the file, type notepad dump.csv and
press ENTER.
IIS 5 & 5.1 Metabase Corruption issue
SYMPTOMS REASONS SOLUTION
o Unable to
Enum
(Enumerate)
on the
W3SVC key
o On IIS 5.0 &
5.1->
C:\Inetpub\
AdminScript
s>cscript
adsutil.vbs
enum_all
o If we get error
by running the
command on
IIS 5.0 or IIS
5.1-> it means
that
Metabase.bin
file is corrupt.
� Try restoring the back-up from Old backups or Initial backup.
(Always preferred to have backups taken with password)
� If we are unable to restore backup from OLD backups or Initial
backup then please check the following
o Please check the permission on MachineKeys folder found
in location - C:\Documents and Settings\All
Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
o Follow the article -
http://support.microsoft.com/kb/278381 and ensure that
MachineKeys folder has appropriate permission.
o Check if we have multiple C23 Keys in the MachineKeys
folder.
o For ex., If this is C23 MachineKey
c2319c42033a5ca7f44e731bfd3fa2b5_8b906d95-
1bf2-4c4c-8bc5-ae4bb414fe16
c2319c42033a5ca7f44e731bfd3fa2b5 ->Actual Key
8b906d95-1bf2-4c4c-8bc5-ae4bb414fe16 -> Machine GUID
(This is unique for each box)
IIS 5 & 5.1- Metabase Corruption issueRESTORING IIS CONFIGURATION FROM BACK-UP files
� If the machine is not changed then re-installing IIS and restoring the old Metabase should be
attempted first.
� If the above step fails
� Backup your local metabase on your Windows 2003 or Windows XP machine.
� Open the Metabase.bin file in Metabase Explorer (http://www.microsoft.com/en-
us/download/details.aspx?id=17275) on a Windows 2003 or Windows XP machine
� Rename the existing W3SVC and other required keys on your local machine.
� Copy the W3SVC and all the required keys from customer's metabase on to the local
metabase under the LM key.
� Open the MetaEdit tool (http://support.microsoft.com/kb/301386 ) on the same Win2003
or WinXP box and then select the W3SVC and other keys that you copied and use the export
option in the file menu and export to a text file.
� Repeat the above step for all the keys that you have copied and close the MetaEdit tool
� Come back to your Metabase Explorer and delete the customer's keys that you have copied
� Rename your local Metabase entries back to the way they were.
� Then you can do an IISReset
IIS 6.0 Corruption issue
Steps to recover IIS 6.0
� Check the history folder [systemroot\System32\Inetsrv\History] and the
Metaback folder [systemroot\System32\Inetsrv\MetaBack] under INETSRV for
any backups that are automatically taken.
� If you find the files in history folder
� Rename the latest Metabase_XXXXXXXX_XXXXXXX.xml file to
Metabase.xml
� Rename the MBSchema_XXXXXXXXX_XXXXXXXX.xml file to MBSchema.xml
� Copy the above two files to the InetSrv and try to start the services.
� If you want to manually copy the entries then make sure you are not copying
the ADMINACL sections.
IIS Performance issues
� Identify whether the issue hang or crash from the event logs
� Crash Issue
� You will find Event ID 37 or Event ID 7031 in System event logs in IIS 5
� If IIS6 you should see Event ID 1009.
� Check for "Unexpectedly terminated" for worker processes or DLLHost or Inetinfo in
the system event logs
� Install Debug Tools and capture the crash dumps
� Heap Corruption
� If initial set of dumps reveal heap corruption, Enable Page Heap using Debug Diag tool
and capture another set of crash dumps
IIS Performance issues
Hang Issue
� Check if the CPU is spiking or the pages are just hung without displaying any content
� Check if the memory is spiking along with CPU
� To Capture performance monitor logs
� Get the event viewer logs and W3svc logs from customer
Memory Leaks
� Install the debug diag tool to capture the memory leak dumps.
� Configure the tool to capture Memory Leak dumps at different interval.
Troubleshooting IIS Performance issues
Debugging Tools For Windows (ADPLUS):
http://support.microsoft.com/kb/286350
Description Commands
For monitoring all IIS Process for
Crash
CScript ADPlus -crash -iis
For monitoring a specific process ID
for Crash
CScript ADPlus -crash –p <PID>
For monitoring all the IIS processes
for Hang
Cscript ADPlus -hang
For monitoring a specific process ID
for hang
Cscript ADPlus -hang -p <PID>
IIS Performance issues
Debug Diagnostics Tool:
� You can download and install the tool from the following location
http://www.microsoft.com/en-in/download/details.aspx?id=26798
� Runs as service.
� GUI based tool to configure and capture dumps for Crash/Heap
Corruptions/Hang/Memory Leak.
� This tool can analyze the dumps if connected to internet using public symbols
Tools available by default on the box:
� NTSD & DrWatson- debugging tools available by default on the box
� Run drwtsn32 from command prompt or Run menu
� Run NTSD from command prompt or Run menu
Authentication Issues.
Anonymous Authentication:
� IUSR_Machine by default.� Can be configured to custom identity� 401.1 when the IUSR goes out of sync� Articles
o For IIS5 - http://support.microsoft.com/kb/271071o For IIS6 - http://support.microsoft.com/kb/812614o For Troubleshooting ASP in IIS5 - http://support.microsoft.com/kb/309051o Listing adsutil commands to use for IUSR and IWAM -
http://support.microsoft.com/kb/297989� Tool to use
� Netmon� Filtering HTTP traffic.� Filtering only GET requests and Response based on Status Codes
� AuthDiag� Process Monitor for any access denied entries
� Set the appropriate NTFS or Registry permissions. On Windows 2000 use regedt32 to set permission on registry.
� HTTP keep Alives
Authentication Issues.
Basic Authentication:
� Password is sent in clear text, which means it is Base-64 encoded
� SSL is recommended to be used.
� Browser authenticates using anonymous first and then get the
authentication headers – ‘WWW-Authenticate Header’. Browser sends
credentials and authenticates.
� "\" will authenticate users on to all the domains.
� In IIS6, you can specify the Realm (Security Principals Zone)
Authentication Issues.
Troubleshooting Integrated Authentication:
� Best suited for Intranet purpose
� Over internet, Integrated Authentication is not supported as proxies and
firewall block the Integrated requests
� Integrated Authentication includes both Kerberos and NTLM.
� Metabase values are NTAuthenticationProviders. Default value
"Negotiate,NTLM"
� Cscript adsutil.vbs get W3SVC/NTAuthenticationProviders.
� NTLM supports only one hop between client and server
IIS Authentication Issues.
Troubleshooting Kerberos Authentication:
� Communication between client and server using session tickets
� Client contact the KDC
� AS Exchange - Client gives the authenticator to the AS exchange
� Client gets the TGT. Clients copies the session key to communicate with TGS,
as a response from AS exchange
� TGS Exchange - Client sends the authenticator (encrypted with Session Key)
and TGT to the TGS
� Client gets the ticket and session key to communicate with CS Exchange
� Client presents the ticket to the server along with authenticator encrypted
with session key obtained from TGS
� Communication continues with the Server.
� Computer (on IIS5) or Computer/Specific Service (on IIS6) needs to be delegated
IIS Authentication Issues.
Troubleshooting Kerberos Authentication – Contd.,
� SPN's must be properly
� Can use SETSPN, Kerbtray and KList to troubleshoot kerberos.
� Netmon tool can be see the Kerberos traffic.
� Before starting Netmon capture, purge all the available tickets on the client
machine
� Account under which the SQL Server is running must be trusted for delegation
� Account that is trying to access the IIS server i.e. Clients accounts must not be
set for Account is sensitive and cannot be delegated.
� Enable security auditing (Local Security Policy) on the IIS server to check for
security events.
� On client computers IE option "Enable Integrated Windows Authentication" must
be checked.
IIS Authentication Issues.
Digest Authentication:
On Windows Server 2000 server if option is disabled check
� Whether MD5filt ISAPI filter is loaded or not. Add the md5filt.dll as ISAPI filter if
not found in list.
� Verify in the AD if the account is set to "Store Passwords in reversible encryption"
and then reset password for the user.
� If server is IIS5 and DC is 2003 then run the command on the 2003 DC
� rundll32 iissuba.dll,RegisterIISSUBA
IIS Authentication Issues.
Configuring Subauthentication on a New Installation of IIS 6.0 (IIS 6.0): Digest Authentication:
On Windows Server 2000 server if option is disabled check
� Whether MD5filt ISAPI filter is loaded or not. Add the md5filt.dll as ISAPI filter if
not found in list.
� Verify in the AD if the account is set to "Store Passwords in reversible encryption"
and then reset password for the user.
� If server is IIS5 and DC is 2003 then run the command on the 2003 DC
� rundll32 iissuba.dll,RegisterIISSUBA
IIS Authentication Issues.
Digest Authentication - Configuring Subauthentication on a New Installation of IIS 6.0 (IIS 6.0):
• By default, after installing Windows Server 2003 and IIS 6.0, IIS runs in worker process
isolation mode and subauthentication is disabled.
• Subauthentication is disabled when the AnonymousPasswordSync Metabase Property is set
to false.
• To enable anonymous password synchronization, ensure that your system meets the
following requirements:
� The subauthentication component, Iissuba.dll, must be registered.
At the command prompt, type the following and then press ENTER:
rundll32 %systemroot%\system32\iissuba.dll,RegisterIISSUBA
� The application pool of the Web site runs as the LocalSystem user account. However,
running as the LocalSystem user account might be a security risk because it allows
the worker process full access to the entire system.
� The AnonymousPasswordSync metabase property must be enabled (set to true).
IIS Authentication Issues.
Digest Authentication - Configuring Subauthentication in a Windows 2000 Domain (IIS 6.0)
To use Digest authentication in IIS 6.0 when the domain controller is running Windows 2000
Server, you must enable subauthentication, which is not installed by default on IIS 6.0. There
are three steps required to enable subauthentication:
� Register the subauthentication component, Iissuba.dll.
At the command prompt, type the following and then press ENTER:
rundll32 %systemroot%\system32\iissuba.dll,RegisterIISSUBA
� Set the UseDigestSSP Metabase Property to false.
� Set the identity of the application pool to LocalSystem.
IIS Authentication Issues
Digest Authentication - Advanced Digest Authentication in IIS 6.0 (IIS 6.0)
� Under Advanced Digest authentication, user credentials are stored on the domain
controller as an MD5 hash. Because credentials are stored in Active Directory as an MD5
hash, user passwords cannot be feasibly discovered by anyone with access to the domain
controller, not even by the domain administrator.
� Advanced Digest authentication is available to Web Distributed Authoring and Versioning
(WebDAV) directories.
� In IIS 6.0, Advanced Digest authentication is preferred over Digest authentication, but
Digest authentication is still available. Advanced Digest authentication relies on the HTTP
1.1 protocol.
� Configuring Advanced Digest authentication on the server running IIS requires the following
three tasks:
� Enable Digest authentication for Windows domain servers.
� Configure the realm name.
� Set the UseDigestSSP metabase property to true. You can configure the UseDigestSSP
metabase property at the W3SVC level of the metabase. A child key inherits its
configuration from the level above it.
HTTP.SYS Troubleshooting Tips
� HTTP.SYS will log any errors it returns to the httperrx.log file. This can be
especially useful in troubleshooting “Service Unavailable” errors
� Definitions of the reason codes can be found in
http://support.microsoft.com/kb/820729
� Common HTTP.SYS registry settings for use with IIS are listed in
http://support.microsoft.com/kb/820129
� IISReset will not restart HTTP.SYS. To stop/restart this driver, you can use
� net stop http
� net start http
Checklist
End of Life Middleware Product Recoverability PlanBackup taken? Frequency Location
BACKUP
� Entire Windows box Yes Daily/Weekly
<<Should always be
data drive on IIS servers
or some other shared
drive on the network>>
� For IIS 6.0, has the file - 'Metabase.xml' and MBSchema.xml
backed up? You can find those files in -
'C:\WINDOWS\system32\inetsrv‘Yes Weekly
� For IIS 6.0, has the backup with Password been taken for
entire IIS from IIS Console? Set the password same as the
hostname (in lower case).
Yes Weekly
� For IIS 5.0/IIS 6.0, take the backup of the MachineKeys folder
– ‘C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys’ folder?
Yes Weekly
� For IIS 7.5 -> Configuration files found in location -
'C:\WINDOWS\system32\inetsrv\Config' folder should be backed up.
Yes Weekly
� For IIS 7.5 -> Please backup the entire inetsrv folder itself - >
found in location 'C:\WINDOWS\system32\inetsrv'Yes Weekly
What is the back up policy for all files/folders associated with IIS?
Checklist
End of Life Middleware Product Recoverability PlanRestore done? Frequency Location
RESTORE
� Is IIS checked by RESTORING the above backup, which are
taken for respective technologies?
Yes Monthly
� At what frequency is the IIS restorability test doneYes Weekly
� Is the older version software installables available for the
Middleware product? ( in case re-install is required) .If yes
please provide the location with details.
YesOne time
activity.
<<Provide the Location
details>>
What is the restore policy for all files/folders associated with IIS?
Thank You