IIS7 Primer for Non IIS Gurus (Originally written for Exchange engineers)

IIS 7 Primer (for those accustomed to IIS 6)

This "Primer" was condensed down from a week long IIS 7 class that I had the privilege of attending, which was delivered by Patty Stoy. You rock Patty! Laura LaFleur assisted with development of this content. Thanks Laura! And a BIG thank you to Courtney Curry for evangelizing this content and encouraging me to convert it to a blog post. Thanks Courtney :).

Props to Scott Williams for doing the technical review and proofing. Many thanks to Jason Slaughter for "The Case of the Missing G". :) And to Brian Day, for all his wonderful ideas ;).

And remember, The Wire Never Lies! - https://blogs.technet.com/b/kpapadak/

Things to get used to… IIS7 is VERY different. So different, you can forget about IIS6 for the most part. Let's Rock & Roll Peeps!

Installation

• ASP.NET and the .NET framework have been fully integrated into IIS7. This means that developers can fully extend the core server architecture by using ASP.NET and the NET framework.
• IIS7 is now very 'modular' . There are over 40 modules that 'can' be installed. However, a 'default' install of IIS7 will include only the modules necessary to provide static web content with anonymous authentication. It IS possible to have 3rd party modules as well, so watch out for these!
• IIS7 does NOT include POP3 or SMTP services by default
• To Install IIS7 via GUI using Server Manager...  For example, for a CAS server:
  • Start>Run>All Programs>Administrative Tools>Server Manager
  • On the left, click Roles
  • On the right in the Roles frame, select Add Roles, click Next
  • In the Add Roles Wizard, ensure that the following is selected: 

         Web Server

         Web ISAPI-Ext

         Web-Metabase

IIS6 Compatibility Mode

Basic Authentication

Digest Authentication

Windows Authentication

Dynamic Content Compression

HTTP Redirect (optional)

RPC Proxy (optional)

Windows Process Activation Services

Active Directory CertificateServices (optional)

• EVERYTHING that can be installed via GUI can beinstalled via the command line tool:  servermanagercmd
  • Try this from a CMD line:  servermanagercmd -q
  • Details on how to install prerequisites for Exchange using the command line tool, servermanagercmd:

https://technet.microsoft.com/en-us/library/bb691354(EXCHG.80).aspx

Note:  It IS important that the prerequisites are installed in the proper order (for Exchange Server) when installing via command line!

• IIS services are dependent on the Windows Process Activation Service (WAS)!  All features grouped under the IIS-Web server update depend on the WAS features so
  WAS must be installed when they are selected. 
• The GUI will automatically install WAS, but when installing by CMD or script then WAS must be explicitly specified.
  • If you MUST troubleshoot by uninstalling IIS, you MUST remove the Windows Process Activation Service as well as IIS components to get a 'true' uninstall. 
  • IIS7 install logs are located in %systemroot%\Windows\iis7.log

Application Pools

• By default, when you create a new site in IIS, IIS will automatically create a new application pool with the same name
• Windows Process Activation Service (WAS) will create a special <AppPoolName>.config file for the worker processes to use and will be located in the \inetpub\temp\AppPools directory. WAS will ACL
  it to only allow that <AppPool> SID to access it. This means the app pool is isolated from all other app pools!
• And, you should ALL know how SUPER COOL that is :)

Metabase versus Config files

• IIS6 had one long, flat file, metabase.xml, known as the “IIS Metabase”, which contained ALL settings related to IIS, all web sites, vdirs, etc.
• IIS7 no longer uses this single, long flat file. It was replaced by ApplicationHost.config. 
• Some lower level settings are delegated to web.config files.  These are hierarchical files, all written in XML, that are easily viewable/editable in any text editor, e.g., Notepad.

The 3 config files that make up the
basis of an IIS7 install are:

1. The root config file: ApplicationHost.config

• Contains definitions of all sites, applications, vDir's, app pools, as well as global defaults for the web server.
• This will generally be the ONLY config file present after a default install of IIS7 (Exchange is an exception, of course)
• This file is located in %windir%\system32\inetsrv\config

THE Two root .NET framework config files:

1. Machine.config
2. Web.config 

• Both of the .NET Framework files are located in
  %windir%\Microsoft.NET\Framework\framework_version\CONFIG.
• In addition to the root applicationhost.config file, there can be configuration files at any hierarchical level beneath it,
  including site, application, virtual, and/or physical directories. These are called web.config files, and they store settings that are particular to the specific
  level (site, virtual directory, etc) where they are stored.
• Sites, applications, virtual directories, physical directories, and files, inherit configuration settings from the server-level
  configuration files and from any parent configuration files. This means you 'could' have several configuration files that apply to any particular virtual directory.

Reference: https://technet.microsoft.com/en-us/library/cc754617.aspx

• Exchange 2007 requires a metabase, so you will be required to install II6 Compatibility Mode when installing Exchange.
  Therefore, you will get a metabase.xml file.
• web.config files are NOT machine specific! This means if you have an issue with the /owa vDir on Windows 2008 Exchange 2007/2010 server, you can copy your web.config from a "healthy" machine, to the "unhealthy" machine. COOL RIGHT! You can also do comparisons of "good" to "bad" using standard text comparison utilties. (windiff, etc)
• If you make a "bad" edit to a web.config file, you'll get the dreaded 500.19 - error indicating an error/invalid reference in a config file. Pretty self explanatory!

The GUI will 'show' you the lowest level file from which it is getting configuration settings. Click on a configuration setting within the site or directory to get this information to appear in the GUI, e.g., in IIS Manager, in the Connections pane on the left expand the DWS and select OWA. In the Features View pane on theright, double-click Authentication. Now at the bottom of the screen on the left, it shows:  Configuration:  ‘Default web site/owa’ web.config

 
  
  New IIS Accounts

• Previously, IIS used LOCAL accounts,
  IUSR_<MachineName> and IIS_WPG. There were drawbacks to these, as the LOCAL account and its SID were included in the metabase.xml and in ACLs, thus
  if you tried to copy the metabase or ACLs to another machine, it would not work.
  • To replace the IUSR_MachineName account, we now have IUSR
  • To replace IIS_WPG group, we now have the IIS_USRS group
  • The IUSR account is a BUILT IN account. Since it is a built in account, IT NO LONGER
    NEEDS A PASSWORD! NO more worrying about resetting or syncing passwords!
  • Since the IUSR account is built-in, the SID will be the same on ALL machines with IIS7 (S-1-5-17)
  • Since there is no longer anything ‘machine specific’, config files and ACL’s can be copied from one machine to another with no issue.

Troubleshooting

• To view currently executing requests in a worker process, do the following!
• Open IIS Manager.
• In the Connections pane, select the server node in the tree.
• In Features View, double-click Worker Processes.
• Select a worker process from the grid.
• Click View Current Requests in the Actions pane.
• View the list of requests in the grid.

Reference: https://technet.microsoft.com/en-us/library/cc732518.aspx

• Failed Request Tracing
  • This is an EXCELLENT new troubleshooting resource available in IIS7. The module must be installed and tracing enabled to collect tracing, then rules must be created to define what you wish to trace.
    • Rather than write this out, instructions can be found here...

https://technet.microsoft.com/en-us/library/cc725948.aspx

Everyone please try this out!

• DETAILED ERRORS
  • By default, a remote browser will get a LESS detailed error message than what will be displayed locally on the server. To CHANGE this behavior so that remote browsers get the same detailed error message, run the following from the directory: 
    %systemroot%\system32\inetsrv:
  • Appcmd set config /section:httpErrors /errorMode:Detailed            (default is DetailedLocalOnly)

USEFUL TOOLS/ITEMS SUMMARY

• For the most part, FORGET ABOUT RIGHT CLICKING IN IIS7!! It will generally get you no where!
• The following details how to install prerequisites for Exchange using the command line tool, servermanagercmd

https://technet.microsoft.com/en-us/library/bb691354(EXCHG.80).aspx

• How to make/restore a backup – APPCMD, the new all purpose utility for IIS7,
  located in %systemroot%\system32\inetsrv directory

AppCmd Add Backup "BackupName"

AppCmd List Backup (to list all backups)

AppCmd Restore Backup “BackupName”

AppCmd Backups do NOT backup web.config files!

• Failed Request Tracing

https://technet.microsoft.com/en-us/library/cc725948.aspx

• To turn on DETAILED error reporting for remote browsers

Appcmd set config /section:httpErrors /errorMode:Detailed           

 If you are looking for something and cannot find it, IT PROBABLY ISN’T INSTALLED!

• The redirect module is NOT installed bydefault. 

• URLScan functionality comes included as an optional module. Be sure to watch out for this! This module includes something called File Extension Restrictions, which will give an error code of 404.7 when a restriction is triggered. Verbs can also be denied and will trigger a 404.6

  • Other codes from this module…
    • 404.13 – content too large
    • 404.14 - URL is too large
    • 404.15 – query string is too large
    • Unless you have detailed logging turned on, the remote client will ONLY see the 404, not the sub status code! You will need to turn on detailed logging, browse locally, or check the IIS log files for the substatus code
    • Event Viewer logs in Windows 2008 are .evtx files by default.  To view or configure IP addresses/port numbers assigned to a site…Highlight the site on the left, then click Bindings in the Actions pane on the far right. You can also view SSL certificates from this area.

• To view the Application Pools and Physical Path assigned to a vDir…
• Click the vDir (not right click), CLICK application settings in the Feature name pane, and click Basic Settings in the Actions pane

• To check or change App Pool Identity…Select application pools in the Connections pane, select the App Pool Identity , then click Advanced settings in the Actions pane. 
• The Advanced Settings window will pop up as shown below:

• To view handler mapping (script mapping) for a virtual directory, select a virtual directory, double click handler mappings in the middle screen. Below are settings for the RpcProxy mapping.  
• Note the ‘request restrictions’ box, which tells you what verbs are allowed, as well as what level of access is required by the handler

As always, I assign any "credit" I might get for this post to MY mentors. Being a "mentor" is like being a parent, its a job that never ends. Mucho Gusto to Gary Reyman, Chris Korff, Mike Edwards, David Lugaro, Sandra LaFrenia, Laura LaFleur, Cherry Canady, Brad Hughes, Matt Byrd, Teresa Walker, Harvey Yancey, Terry Lyons, Beth Bellardo,Wyatt Staples, Jill Yaklin, Nic Seago, Tim McMichael, Brad Hughes and everyone else who contributed not to MY success, but to our success as a team.