Moc 6427a Configuring and Troubleshooting Iis v7.0 in Windows Server 2008-Student Manual

OFFICIAL MICROSOFT LEARNING PRODUCT
6427A:
Configuring and Troubleshooting
Internet Information Services in
Windows Server® 2008
Be sure to access the extended learning content on your

Course Companion CD enclosed on the back cover of the book.
BETA COURSEWARE. EXPIRES 5/15/2008

ii Configuring and Troubleshooting Internet Information Services in Windows Server® 2008
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
All other trademarks are property of their respective owners.
Technical Reviewer: FirstName LastName
Product Number: 6427A
Part Number:
Released: 12/2007

MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS COURSEWARE –
BLENDED LEARNING COURSE - STUDENT EDITION
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the licensed content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this licensed content, unless other terms accompany those items. If so, those terms apply.
By using the licensed content, you accept these terms. If you do not accept them, do not use
the licensed content.
If you comply with these license terms, you have the rights below.
1. OVERVIEW.
Licensed Content. The licensed content includes software, printed materials, academic materials
(online and electronic), and associated media.
License Model. The licensed content is licensed on a per copy per device basis.
2. INSTALLATION AND USE RIGHTS.
a. Licensed Device. The licensed device is the device on which you use the licensed content. You
may install and use one copy of the licensed content on the licensed device.
b. Portable Device. You may install another copy on a portable device for use by the single
primary user of the licensed device.
c. Separation of Components. The components of the licensed content are licensed as a single
unit. You may not separate the components and install them on different devices.
d. Third Party Programs. The licensed content may contain third party programs. These license
terms will apply to your use of those third party programs, unless other terms accompany those
programs.
3. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Media Elements and Templates. You may use images, clip art, animations, sounds, music,
shapes, video clips and templates provided with the licensed content solely for your personal
training use. If you wish to use these media elements or templates for any other purpose, go to
www.microsoft.com/permission to learn whether that use is allowed.
b. Academic Materials. If the licensed content contains academic materials (such as white papers,
labs, tests, datasheets and FAQs), you may copy and use the academic materials. You may not
make any modifications to the academic materials and you may not print any book (either

electronic or print version) in its entirety. If you reproduce any academic materials, you agree
that:
• The use of the academic materials will be only for your personal reference or training use
• You will not republish or post the academic materials on any network computer or broadcast in
any media;
• You will include the academic material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2007 Reprinted for personal reference use only with permission by
Microsoft Corporation. All rights reserved.
Microsoft and Windows are either registered trademarks or trademarks of
Microsoft Corporation in the US and/or other countries. Other product and
company names mentioned herein may be the trademarks of their respective
owners.
c. Distributable Code. The licensed content may contain code that you are permitted to distribute
in programs you develop if you comply with the terms below.
i. Right to Use and Distribute. The code and text files listed below are “Distributable Code.”
• REDIST.TXT Files. You may copy and distribute the object code form of code listed in
REDIST.TXT files.
• Sample Code. You may modify, copy, and distribute the source and object code form of
code marked as “sample.”
• Third Party Distribution. You may permit distributors of your programs to copy and
distribute the Distributable Code as part of those programs.
ii. Distribution Requirements. For any Distributable Code you distribute, you must
• add significant primary functionality to it in your programs;
• require distributors and external end users to agree to terms that protect it at least as
much as this agreement;
• display your valid copyright notice on your programs; and
• indemnify, defend, and hold harmless Microsoft from any claims, including attorneys’ fees,
related to the distribution or use of your programs.

iii. Distribution Restrictions. You may not
• alter any copyright, trademark or patent notice in the Distributable Code;
• use Microsoft’s trademarks in your programs’ names or in a way that suggests your
programs come from or are endorsed by Microsoft;
• distribute Distributable Code to run on a platform other than the Windows platform;
• include Distributable Code in malicious, deceptive or unlawful programs; or
• modify or distribute the source code of any Distributable Code so that any part of it
becomes subject to an Excluded License. An Excluded License is one that requires, as a
condition of use, modification or distribution, that
• the code be disclosed or distributed in source code form; or
• others have the right to modify it.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the licensed
content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The licensed content is licensed, not sold. This agreement only gives you some
rights to use the licensed content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the licensed content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the licensed content that
only allow you to use it in certain ways. You may not
• disclose the results of any benchmark tests of the licensed content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the licensed content;
• reverse engineer, decompile or disassemble the licensed content, except and only to the extent
that applicable law expressly permits, despite this limitation;
• make more copies of the licensed content than specified in this agreement or allowed by
applicable law, despite this limitation;
• publish the licensed content for others to copy;
• rent, lease or lend the licensed content; or
• use the licensed content for commercial licensed content hosting services.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
6. BACKUP COPY. You may make one backup copy of the licensed content. You may use it only to
reinstall the licensed content.
7. TRANSFER TO ANOTHER DEVICE. You may uninstall the licensed content and install it on another
device for your use. You may not do so to share this license between devices.
8. TRANSFER TO A THIRD PARTY. The first user of the licensed content may transfer it and this
agreement directly to a third party. Before the transfer, that party must agree that this agreement

applies to the transfer and use of the licensed content. The first user must uninstall the licensed
content before transferring it separately from the device. The first user may not retain any copies.
9. EXPORT RESTRICTIONS. The licensed content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that
apply to the licensed content. These laws include restrictions on destinations, end users and end use.
For additional information, see www.microsoft.com/exporting.
10. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or licensed
content marked as “NFR” or “Not for Resale.”
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if
you fail to comply with the terms and conditions of these license terms. Upon any termination of this
agreement, you must destroy all copies of the licensed content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based
services and support services that you use, are the entire agreement for the licensed content and
support services.
13. APPLICABLE LAW.
a. United States. If you acquired the licensed content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the licensed content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
licensed content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED “AS-IS.” YOU BEAR
THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES OR
CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL
LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER
YOUR LOCAL LAWS, MICROSOFT EXCLUDES THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER
FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU
CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS,
SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the licensed content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability,
negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion
or limitation of incidental, consequential or other damages.
Please note: As this licensed content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des
clauses dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ».
Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune
autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la
protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit
locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de
contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus
ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres
droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les
lois de votre pays si celles-ci ne le permettent pas.

Configuring and Troubleshooting Internet Information Services in Windows Server® 2008 ix
Contents
Module 1: Configuring an IIS 7.0 Web Server
Lesson 1: Introducing Internet Information Services 7.0 1-3
Lesson 2: Installing the Web Server Role 1-7
Lesson 3: Installing Configuring Application Development, Health and
Diagnostics, and HTTP Features 1-15
Lesson 4: Configuring Performance, Security, and SMTP Features 1-22
Lab: Configuring an IIS 7.0 Web Server 1-29
Module 2: Configuring IIS 7.0 Web Sites and Application Pools

Lesson 1: Introducing Web Sites and Application Pools 2-3
Lesson 2: Creating and Configuring Web Sites and Applications 2-9
Lesson 3: Creating and Configuring a New Application Pool 2-16
Lesson 4: Maintaining an Application Pool 2-20
Lab: Configuring IIS 7.0 Web Sites and Application Pools 2-27
Module 3: Configuring IIS 7.0 Application Settings

Lesson 1: Configuring Application Settings 3-3
Lesson 2: Configuring ASP.NET Security 3-14
Lab: Configuring IIS 7.0 Application Settings 3-19
Module 4: Configuring IIS 7.0 Modules

Lesson 1: Lesson 1: An Overview of IIS 7.0 Modules 4-3
Lesson 2: Reviewing Native Module Functionality 4-8
Lesson 3: Configuring Native Modules 4-12
Lesson 4: Configuring Managed Modules 4-20
Lab: Configuring and Editing IIS 7.0 Modules 4-26

x Configuring and Troubleshooting Internet Information Services in Windows Server® 2008
Module 5: Securing the IIS 7.0 Web Server and Web Sites
Lesson 1: Configuring Secure Web Sites and Servers 5-3
Lesson 2: Configuring Other Aspects of Web Server Security 5-13
Lesson 3: Configuring Logging for IIS 7.0 5-22
Lab: Securing the IIS 7.0 Web Server and Web Sites 5-30
Module 6: Configuring Delegation and Remote Administration

Lesson 1: Configuring Remote Administration 6-3
Lesson 2: Configuring Delegated Administration 6-13
Lesson 3: Configuring Feature Delegation 6-17
Lab: Configuring Delegation and Remote Administration 6-25
Module 7: Using Command-line and Scripting for IIS 7.0 Administration

Lesson 1: Tools for Running Administrative Tasks in IIS 7-3
Lesson 2: Executing Scripts for Administrative Tasks 7-9
Lesson 3: Managing IIS Tasks 7-16
Lab: Using Command-line and Scripting for IIS 7.0 Administration 7-24
Module 8: Tuning IIS 7.0 for Improved Performance

Lesson 1: Implementing Best Practices for Improving IIS Performance 8-3
Lesson 2: Configuring Options to Improve IIS Performance 8-7
Lesson 3: Managing Application Pools to Improve IIS Performance 8-13
Lab: Tuning IIS 7.0 for Improved Performance 8-18
Module 9: Ensuring Web Site Availability with Web Farms

Lesson 1: Backing Up and Restoring Web Sites 9-3
Lesson 2: Introducing Shared Configurations 9-8
Lesson 3: Working with Shared Configurations 9-15
Lesson 4: Configuring Network Load Balancing for IIS 9-23
Lab: Ensuring Web Site Availability with Web Farms 9-29

Configuring and Troubleshooting Internet Information Services in Windows Server® 2008 xi
Module 10: Troubleshooting IIS 7.0 Web Servers

Lesson 1: Using IIS 7.0 Logging for Troubleshooting 10-3
Lesson 2: Troubleshooting Authentication and Authorization 10-10
Lesson 3: Troubleshooting Communication 10-17
Lesson 4: Troubleshooting Configuration 10-22
Lab: Troubleshooting IIS 7.0 Web Servers 10-26

About This Course i
About This Course

This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
The purpose of this three-day course is to prepare you to configure, manage, and
support Internet Information Services 7.0 (IIS 7.0) in an enterprise environment.
Audience
The primary audience for this course is individuals who want to become a Web
server administrator in an enterprise environment. Also, individuals who are
assuming a new role requiring skills to manage content served by an IIS 7.0 Web
server over the Internet, an intranet, and extranet, should be interested in this
course. The secondary audience for this course is Web-based applications
developers with networking skills who wish to learn more about IIS 7.0.
Student Prerequisites
This course requires that you meet the following prerequisites:
• Course 6420 Foundational Series: Fundamentals of a Windows Server 2008
Network Infrastructure and Application Platform
- or -
• A minimum of 1 year of experience administering and supporting a Web
Server role using Windows Server 2003
• Network + certification

ii Configuring and Troubleshooting Internet Information Services in Windows Server® 2008
Course Objectives
After completing this course, students will be able to:
• Install the Web Server role using Server Manager, on Server Core, and from an
unattended setup.
• Configure IIS role services such as HTTP; security; performance and
diagnostics; and management features.
• Configure IIS 7.0 Web sites and application pools.
• Configure application settings using ASP.NET.
• Configure and manage modules in IIS7.0.
• Secure Web sites and servers.
• Configure delegation and remote administration.
• Use command line tools like PowerShell and AppCmd for scripting IIS7.0.
• Configure Web sites and servers for the best performance.
• Ensure high availability of Web farms using backup and restore, Network
Load Balancing, and shared configurations.
• Use various tools to troubleshoot common Web server-related issues with
authentication, authorization, communication, and configuration.
Course Outline
This section provides an outline of the course:
Module 1, "Configuring an IIS 7.0 Web Server" This module covers how to install
the Web Server role on Windows Server 2008 and how to configure the most
common features of IIS.
Module 2, "Configuring IIS 7.0 Web Sites and Application Pools" This module
covers how to create, configure, and manage new Web sites, applications, and
application pools.
Module 3, "Configuring IIS 7.0 Application Settings" This module covers how to
configure application settings and how to deploy and secure multiple applications
on a single Web server.
Module 4, "Configuring IIS 7.0 Modules" This module covers how to configure
and edit native and managed modules.

About This Course iii
Module 5, "Securing the IIS 7.0 Web Server and Web Sites" covers how to secure
Web sites and servers including configuring and managing authorization,
authentication, and restrictions.
Module 6, "Configuring Delegation and Remote Administration" This module
covers how to use the delegated rights assignment and remote administration
features in IIS 7.0.
Module 7, "Using Command-line and Scripting for IIS 7.0 Administration" This
module covers how to use command-line and scripting for IIS 7.0 Administration.
Module 8, "Tuning IIS 7.0 for Improved Performance" This module covers some
best practices for improving performance in IIS 7.0 including how to manage
applications pools to achieve performance goals.
Module 9, "Ensuring Web Site Availability with Web Farms" This module covers
how to ensure high availability of Web farms using backup and restore, Network
Load Balancing, and shared configurations.
Module 10, "Troubleshooting IIS 7.0 Web Servers" This module covers how to use
logging and the new tracing infrastructure to troubleshoot and fix some common
types of problems.

iv Configuring and Troubleshooting Internet Information Services in Windows Server® 2008
Course Materials
• Course Handbook. The Course Handbook contains the material covered in
class. It is meant to be used in conjunction with the Course Companion CD.
• Course Companion CD. The Course Companion CD contains the full course
content, including expanded content for each topic pages, full lab exercises
and answer keys, topical and categorized resources and Web links. It is meant
to be used both inside and outside of the class.
Note: To access the full course content, insert the Course Companion CD into the
CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.

About This Course v
Virtual Machine Environment

This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must
not save any changes. To close a virtual machine without saving the changes,
perform the following steps: 1. On the host computer, click Start | All Programs |
Microsoft Virtual Server, Virtual Server Administration Website. 2. Under
Navigation, click Master Status. 3. For each virtual machine that is running, point
to the virtual machine name, and then in the context menu, click Turn off Virtual
Machine and Discard Undo Disks. 4. Click OK.
The following table shows the role of each virtual machine used in this course:
Virtual machine Role

NYC-DC1 Domain controller for woodgrovebank.com
NYC-SVR1 Member server used to install IIS
NYC-WEB2 A secondary Web server
NYC-WEB-A A primary Web server
NYC-WEB-B A primary Web server
NYC-WEB-C A primary Web server
NYC-WEB-D A primary Web server

vi Configuring and Troubleshooting Internet Information Services in Windows Server® 2008
Software Configuration
The following software is installed on each VM:
• Windows Server 2008 Enterprise Edition
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught.

Configuring an IIS 7.0 Web Server 1-1
Module 1
Configuring an IIS 7.0 Web Server
Contents:
Lesson 1: Introducing Internet Information Services 7.0 1-3
Lesson 2: Installing the Web Server Role 1-7
Lesson 3: Installing Configuring Application Development, Health and
Diagnostics, and HTTP Features 1-15
Lesson 4: Configuring Performance, Security, and SMTP Features 1-22
Lab: Configuring an IIS 7.0 Web Server 1-29

1-2 Configuring and Troubleshooting Internet Information Services in Windows Server® 2008
Module Overview
Internet Information Services 7.0 provides the components necessary for the Web
server role of the Windows Server 2008 platform. Internet Information Services is
an add-on server role for Windows Server 2008. This module briefly introduces
the new component-based setup model of IIS 7.0. In this module, you will learn
the fundamental workload scenarios for Web servers, and how to prepare for and
install the Web server role of the Windows Server 2008 platform. You will also
learn how to configure the most common features of IIS.

Lesson 1:
Introducing Internet Information Services 7.0
Before implementing Internet Information Services, it is important to understand

the technology and components that comprise the Internet Information Services
7.0 Web server role. This lesson describes common scenarios, components, and
technologies related to Internet Information Services.

Introducing IIS 7.0 Architecture
Key Points
Internet Information Services 7.0 introduces some important architectural changes
from IIS 6.0.
The new modular design allows administrators to install only what is needed,
thereby reducing footprint, attack surface, and management overhead. It also
allows custom modules to be installed to extend the Web server features. The key
features of the new modular design are:
• Completely modular Web server
• Native extensibility
• .NET extensibility
The key advantages of the unified pipeline are:

• All content is server through same pipeline
• Configuration is cached and can be changed without restarting the server

The Web server role can be installed on Windows Server 2008 Server Core. Server
Core is a minimal installation of Windows Server 2008 with no local graphical user
interface and a small footprint. The key advantages of running IIS on Server Core
are:
• No added overhead
• Completely remote administration
Question: Which features of the new IIS 7.0 architecture will you use in your
organization?

What are Typical Workloads?
Key Points
A workload describes the type of content and applications that the Web server will
provide. Before installing the Web server role, it is important to understand how
the server will be used so that the proper components are installed.
Question: Why is it not a good idea to install all of the components on every
server?

Lesson 2:
Installing the Web Server Role in Windows
Server 2008
Deploying IIS requires an understanding of the various installation methods

available and the scenarios to which they apply. In addition, understanding the
new Server Core and Virtualized environment will help you make the most of the
available resources in your organization. This lesson provides information to help
you understand the installation options and requirements for deploying IIS 7.0 in
a variety of environments.

Choosing an Installation Method
Key Points
There are three methods of installing IIS 7.0. The most common method is via the
Graphical User Interface (GUI). In Windows Server 2008 this is done through
Role Manager which is part of the Server Manager tool.
Using the command line interface, Pkgmgr can be used to install the IIS role and
components either as a series of command lines or by using an XML file for
unattended setup.
Question: What installation methods do you currently use to deploy IIS in your
organization?

Installing IIS from the Role Manager
Key Points
Server Manager provides the setup user interface on Windows Sever 2008. It
replaces Manage Your Server in Windows Server 2003. Server Manager also
provides server role management Here you can access a role's installed state,
current status, and management tasks.
Question: What are the scenarios in which you would you use the GUI to install
the IIS role?

Installing IIS from the Command Line using Pkgmgr
Key Points
The new command line tool for installing optional features in Windows Vista and
Windows Server 2008 is Pkgmgr.exe. It replaces sysocmgr.exe for installing
Windows Optional Features on previous versions of Windows.
Pkgmgr.exe allows you to install / uninstall Windows Optional Features directly
from command prompt or from scripts. For example, it can take a list of
Windows features to install on the command line, or it can take an xml file name
as a parameter for unattended installations.

Installing IIS using Unattended Setup
Key Points
• Xml files containing the information necessary for an unattended installation
can be written and provided to Setup.exe for installation of IIS 7.0 during the
initial installation of the Windows operating system.
• Alternately, an unattended XML file can be written and used with pkgmgr.exe
to install IIS and its features after the operating system has been installed.
Question: When would you choose to install using unattended setup with an XML
file versus through specifying the installation options through the command line?

Selecting the Appropriate Workload
Key Points
Installing IIS 7.0 from the command line requires that you explicitly specify the
features you wish to have installed by name. You will also need to ensure that any
dependencies get specified in the installation syntax. Failure to include
dependencies in the setup syntax will cause the installation to be unsuccessful.

Installing IIS on Windows Server 2008 Server Core
Key Points
Windows Server 2008 Server Core does not have a graphical user interface, so you
must install the IIS role at the command line or via unattended setup.
Question: How might you deploy Server Core Web servers in your organization?

Installing IIS in a Virtualized Environment
Key Points
If several servers run applications that consume only a fraction of the available
resources, virtual machine technology can be used to enable them to run side by
side on a single server, even if they require different versions of the operating
system or middleware. Windows Server virtualization provides customers an ideal
platform for key virtualization scenarios, such as:
• Production server consolidation
• Business continuity management
• Software test and development
• Dynamic data center
Question: How might your organization benefit from virtualization?

Lesson 3:
Configuring Application Development, Health
and Diagnostics, and HTTP Features
It is important to understand the basic configuration schema and most common

settings to configure Internet Information Services 7.0 successfully. This lesson
describes those configuration considerations and the most common scenarios and
their associated configuration settings. Additionally, it provides an overview of the
configuration hierarchy and how to perform initial configuration tasks to ensure
your Web server is functional.

How is IIS 7.0 Configured?
Key Points
The configuration of IIS 7.0 is stored in XML configuration files. The XML
configuration files:
• Replace the Metabase of previous versions of IIS
• Can be modified through various configuration interfaces
• Are fully extensible
Question: When would you use the Command Line configuration tool to modify
the configuration instead of IIS Manager?

Where are Configuration Files Stored?
Key Points
Every level of the URL namespace may have associated configuration.
Configuration for a given level inherits down to child levels, unless specifically
overridden by a child level. A simple way to achieve per-URL configuration is by
using web.config files, in the physical file-system folders that are mapped to the
virtual paths.

Configuring Application Development Features
Key Points
Configuring ASP.NET:
• IIS 7.0 is configured to use the new Integrated mode for new applications and
this is the default behavior.
• The pipeline mode and .NET Framework version are configured by using the
application pool settings.
Configuring Classic ASP:

• In IIS Manager or by using the APPCMD.EXE command line tool, set the ASP
behavior settings to match the needs of the application.
• Set the debugging properties such whether to Send Errors to the Browser.
• Give appropriate permissions to the ASP Application Pool identity.

Configuring Fast-CGI and PHP:

• Install PHP (available from http://www.php.net).
• Modify the PHP.INI file per the needs of the PHP application.
• Map the PHP extension to the Fast-CGI module.
Question: Which of these settings apply to the applications in your organization?

Configuring Health and Diagnostic Features
Key Points
Configure the appropriate Health and Diagnostics features depending on the needs
and maturity of your sites and applications.
Note: More information on configuring Health and Diagnostics features will be

covered in Module 10.
Question: In what scenarios would you want to enable more detailed Health and
Diagnostics features?

Configuring HTTP Features
Question: Why is the HTTP Timeout setting important?

Lesson 4:
Configuring Performance, Security, and SMTP
Features
In addition to basic configuration, there are a few performance and security

features that are commonly configured during or just after installation. This lesson
describes these features and the common settings and scenarios in which they
might be enabled.

Configuring Performance Features
Key Points
• Static caching will cache static content such as HTML pages and graphics files.
This can greatly improve page response times for clients. To enable static
caching:
• Add a cache rule in IIS Manager
• Configure the file types that you want to cache, such as JPG or HTML.
• Set the change notification

• Dynamic Output caching will cache versions of output that change depending
on a Web application’s output. For example, you may have a page that is
nearly identical except for localized text. You can cache the possible versions
of the page and automatically reload the content into the cache if it has
expired. To enable Dynamic Output Caching:
• Add a cache rule in IIS Manager
• Set a time interval
• Set the differentiator that distinguishes the versions, such as localized
language or other variable(s) used by the Web application.
• There are other settings that will be covered in more detail in later modules,
such as application pools, http compression, network, and operating system
settings.

Configuring Security Features
Key Points
Configure the security settings to match the needs of the sites and applications.
Note: These settings will be covered in more detail in later modules.
Question: What are the security needs of the applications in your organization?

Configuring SMTP Features
Key Points
Some Web sites need to send email through an SMTP (Simple Mail Transfer
Protocol) server. To enable this functionality, you need to configure information
needed to contact the SMTP server. This can be accomplished through the Site
settings in IIS Manager.
Question: What are some examples of sites that use SMTP?

Discussion: How is Your Current Environment Deployed?
Key Points
Discuss your organization's current environment in a classroom discussion, led by
your instructor, and determine possible installation and configuration solutions in
IIS7.
Number of Machines and Sites

How many physical servers are operating as Web sites in your organization? How
many sites? Are they configured similarly or differently? Why?
Possible Installation Methods

Based on the previous discussion, how might you install IIS in your environment?
How would you add new servers for different scenarios, such as testing,
development or production?

Server Core and Virtualization Opportunities

Think about the different servers and sites in your organization. How might you
use Server Core or Virtualization to make the most of your physical machines? Is
there room for consolidation? How might you streamline using new machines?

Lab: Configuring an IIS 7.0 Web Server

Module Review and Takeaways
Review Questions
1. What is the benefit of a modular architecture?
2. Describe various scenarios in which organizations may benefit from
implementing IIS on Windows Server Core.
3. Which installation method can be used with scripting?
4. Which workloads are not available on Windows Server Core?

Configuring IIS 7.0 Web Sites and Application Pools 2-1
Module 2
Configuring IIS 7.0 Web Sites and Application
Pools
Contents:
Lesson 1: Introducing Web Sites and Application Pools 2-3
Lesson 2: Creating and Configuring Web Sites and Applications 2-9
Lesson 3: Creating and Configuring a New Application Pool 2-16
Lesson 4: Maintaining an Application Pool 2-20
Lab: Configuring IIS 7.0 Web Sites and Application Pools 2-27

Module Overview
IIS 7.0 makes Web sites and applications more secure by automatically isolating
them, providing sandboxed configuration and unique process identity by default.
This module briefly introduces the new integrated pipeline mode of IIS 7.0 and
new features of application pools. In this module, you will learn the how to create
new sites, applications, and application pools. You will also learn how to configure
and manage application pools.

Lesson 1:
Introducing Web Sites and Application Pools
Before configuring application pools, it is important to understand how application

pools relate to Web sites in the new pipeline model and the implications to
authentication. In this lesson, you will learn about Web sites and application pools,
and how authentication works in IIS. You will also learn about the default
application pool properties.

How are Web Sites and Application Pools Used?
Key Points
An application pool is a group of one or more URLs that are served by a worker
process or a set of worker processes. Application pools set boundaries for the
applications they contain, which means that any applications running outside of a
given application pool cannot affect the applications within the application pool.
Question: Do you have multiple applications running under one application pool
in your organization?

Review of the Unified Request Processing Pipeline in IIS 7.0
Key Points
In IIS7, the ASP.NET request processing pipeline overlays the IIS pipeline directly,
essentially providing a wrapper over it instead of plugging into it.
A request arriving for any content type is processed by IIS, with both native IIS
modules and ASP.NET modules being able to provide request processing in all
stages. This enables services provided by ASP.NET modules like Forms
Authentication or Output Cache to be used for requests to ASP pages, PHP pages,
static files, and so on.
The ability to plug in directly into the server pipeline allows ASP.NET modules to
replace, run before, or run after any IIS functionality. This enables, for example, a
custom ASP.NET basic authentication module written to use the Membership
service and SQL Server user database to replace the built in IIS basic authentication
feature that works only with Windows accounts.
Question: What is an ISAPI filter and why was it used in IIS 6.0?

How Does Authentication Work in IIS 7.0?
Key Points
The identity of an application pool is the name of the service account under which
the application pool's worker process runs. By default, application pools operate
under the Network Service user account, which has low-level user access rights.
You can configure application pools to run under one of the built-in user accounts
in the Windows Server 2008 operating system. For example, you can specify the
Local System user account, which has higher-level user privileges than either the
Network Service or Local Service built-in user accounts. However, remember that
running an application pool under an account with high-level user rights is a
serious security risk.
Question: What are the scenarios in your organization that you might use a
custom identity for an application pool?

Review of Authentication Types
Key Points
Authentication is the process for verifying that an entity or object is who or what it
claims to be. IIS 7.0 supports the following authentication methods:
• Basic authentication prompts the user for a user name and a password, also
called credentials, which are sent unencrypted over the network.
• Integrated Windows authentication uses hashing technology to scramble user
names and password before sending them over the network.
• Digest authentication operates much like Basic authentication, except that
passwords are sent across the network as a hash value. Digest authentication is
only available on domains with domain controllers running Windows Server
operating systems.
• Anonymous authentication allows everyone access to the public areas of the
Web sites, without asking for a user name or password.

What are the Default Application Pool Properties?
Key Points
The default application pool is named DefaultAppPool. It is set to use ASP.NET
integrated mode and runs under the Network Service identity.
Question: What application pool settings would you change if upgrading a key
server from IIS 6.0 to II 7.0 in your environment?

Lesson 2:
Creating and Configuring Web Sites and
Applications
In this lesson, you will learn the difference between sites and applications, and
how to create sites and applications. You will also learn how to configure virtual
directories and authentication, and some scenarios and best practices for hosting
sites in a virtualized environment.

Creating a Web Site
Key Points
When you want to publish content for access over the Internet or an intranet
connection, you can add a Web site to your Web server to hold the content.
Question: Why would you add more than one site to a server?

What is a Web Application?
Key Points
An ASP.NET Web application, in its simplest form, consists of a directory made
available by means of HTTP, using the IIS administration tool or through the Web
Sharing tab of a folder’s Properties dialog box (or by creating a webapplication
project in Visual Studio .NET) and at least one ASP.NET page, designated by the
.aspx file extension. This file (or files), typically contains a mix of HTML and
server-side code. The HTML and server-side code combine to create the final
output of the page, typically consisting of HTML markup that is sent to the client
browser.
Question: What are some examples of Web applications?

Creating a Web Application
Key Points
A Web application is a grouping of content at the root level of a Web site or a
grouping of content in a separate folder below the Web site's root directory. When
you add a Web application in IIS 7.0, you designate a directory as the application
root, or starting point, for the application and then specify properties specific to
that particular application, such as the application pool that the application will
run in.
Question: What permission level is needed to create a Web application?

Creating a Virtual Directory
Key Points
A virtual directory is a directory name, used in an address, which corresponds to a
physical directory on the server. You can add a virtual directory to include
directory content in a Web site or Web application without needing to move the
content physically into that Web site or Web application directory.
Question: How might your organization benefit from virtual directories?

Configuring Authentication
Key Points
You can configure IIS to authenticate users before they are permitted access to a
Web site, a folder in the site, or even a particular document contained in a folder in
the site. Authentication in IIS can be used to strengthen the level of security on
sites, folders, and documents that are not to be viewed by the general public.
Authentication in IIS is critical when resources are not meant for anonymous or
public access, but when the Web server must be accessible to approved users over
the Internet. Examples of Web site applications that require authentication access
control include Microsoft Outlook Web Access (OWA) and the Microsoft Terminal
Services Advanced Client.
Question: When would you configure authentication at the site level versus the
application level?

Hosting Web Sites in a Virtualized Environment
Key Points
IIS 7.0 can run on a virtual machine. To get the most from this configuration:
• On a 64-bit host machine, enable 32-bit processes and run multiple 32-bit
Web server (each will have access to up to 4GB memory)
• Consolidate legacy Web sites and applications to virtual servers running older
operating systems to free hardware and resources
• Use virtual machines to further isolate sites. Deploy identical virtual servers
with virtual directories hosted on network attached storage to host multiple
sites.
Question: How would you virtualize your organization's servers?

Lesson 3:
Creating and Configuring a New Application
Pool
Application pools allow you to apply configuration settings to groups of

applications and the worker processes that service those applications. Any Web
site, Web directory, or virtual directory can be assigned to an application pool. In
this lesson, you will learn how to create an application pool and set its basic
properties. You will also learn how to modify an existing application pool.

Creating an Application Pool
Key Points
Application pools isolate Web sites and Web applications to address reliability,
availability, and security issues.
Question: What is the impact of creating too many application pools?

Setting Basic Properties of an Application Pool
Key Points
You can configure the basic settings for the application pool.
Question: When would you want to configure the application pool through a
script?

Configuring IIS 7.0 Application Pools
Key Points
Configure an Application Pool's Advanced Settings to change the pipeline mode
and configure health management and recycling settings.
Question: Why is the timeout setting important?

Lesson 4:
Maintaining an Application Pool
In addition to basic configuration, there are some specific tasks you may need to
perform periodically to maintain application pools. This lesson describes these
tasks and the common settings and scenarios in which they might be performed.

Recycling Application Pools
Key Points
Recycling only works on an application pool that is already running

Stopping an Application Pool
Key Points
Stopping an application pool causes the WWW service to shut down all running
worker processes serving that application pool. The WWW service does not restart
these worker processes. An administrator must restart all stopped application
pools. All applications routed to a stopped application pool receive 503 Service
Unavailable errors.
Question: Why would you stop an application pool instead of recycling it?

Editing All Application Pool Properties
Key Points
Not all settings are available in the Basic properties.

Renaming an Application Pool
Key Points
You might decide to rename an application pool to better associate it with the
applications it contains.

Removing an Application Pool
Key Points
If an application pool does not have any applications assigned to it, you can
remove the application pool. However, if the application pool has applications
assigned to it, you must assign those applications to another application pool
before removing the original application pool. Applications cannot run unless they
are associated with an application pool.

Managing Authentication
Key Points
You can perform this procedure by using the user interface (UI), by running IIS 7.0
command-line tool commands in a command-line window, by editing
configuration files directly, or by writing WMI scripts.

Lab: Configuring IIS 7.0 Web Sites and

Application Pools

Review Questions
1. What is the benefit of the unified request pipeline?
2. What are application pools?
3. How do you remove an application pool?
4. If an application pool is stopped, what response will clients receive?

Configuring IIS 7.0 Application Settings 3-1
Module 3
Configuring IIS 7.0 Application Settings
Contents:
Lesson 1: Configuring Application Settings 3-3
Lesson 2: Configuring ASP.NET Security 3-14
Lab: Configuring IIS 7.0 Application Settings 3-19

Module Overview
Because of the runtime integration, IIS and ASP.NET can use the same
configuration for enabling and ordering server modules, and configuring handler
mappings. Other unified functionality includes tracing, custom errors, and output
caching. In this module, you will learn the how to configure application settings.
You will also learn how to deploy and secure multiple applications on a single Web
server.

Lesson 1:
Configuring Application Settings
Before configuring application settings, it is important to review how application

requests are processed in the new pipeline model and the implications to
authentication. In this module, you will learn about custom error messages and
deploying applications. You will also learn about application development settings.

Review of the ASP.NET Platform
Key Points
A request arriving for any content type is processed by IIS, with both native IIS
modules and ASP.NET modules being able to provide request processing in all
stages.
The ability to plug in directly into the server pipeline allows ASP.NET modules to
replace, run before, or run after any IIS functionality.
Question: What is an example of an ASP.NET application? Explain how the

content returned to the browser varies.

Installing the ASP.NET Role Service
Key Points
If you use the Add Roles Wizard to install IIS 7.0, you get the default installation,
which has a minimum set of role services. If you need additional IIS 7.0 role
services, such as Application Development or Health and Diagnostics, make sure to
select the check boxes associated with those features in the Select Role Services
page of the wizard.
Question: Why isn't ASP.NET installed by default?

Configuring Error Messages
Key Points
• Custom error messages let you provide a friendly or a more informative
response by serving a file, executing a resource, or redirecting to a URL, when
visitors to your site cannot access the content they requested.
• By default, IIS serves error messages that are defined in files stored in the
systemroot\Help\IisHelp\Common folder. You can create a custom error
message for users and configure IIS to return this page whenever it encounters
a specific HTTP error on your site.
Question: What are the scenarios in your organization that you might use custom
errors for an application?

When to Use Stage and Deploy
Key Points
In previous versions of IIS, moving a Web site from one server to another meant
that you had to explicitly configure IIS application settings in the machine-level
metabase repository before the application could function properly. With IIS 7.0,
however, the process of deploying a Web site is now much easier.
Question: Name three scenarios in your organization that you might use stage and
deploy to deploy an application.

Configuring ASP.NET Compilation and Globalization

Settings
Key Points
IIS lets you configure the following .NET compilation settings:
• Batch settings, such as the maximum file size that you can batch and the
maximum number of pages that you can have per batched compilation.
• Behavior settings, such as the number of times resources are dynamically
compiled before the application is restarted.
• General settings, such as the default programming language that is used in
dynamic compilation files.
IIS lets you configure the following globalization settings:

• Culture settings, such as the UI culture.
• Encoding settings, such as encoding for response headers.

Question: What is the difference between culture settings and language settings?
Give an example of both.

Configuring ASP.NET Session State and Pages and Controls
Key Points
Session State:
When clients visit a site, they generally navigate from one page to another and
frequently change some of the pages they visit. If you want to track where they go
and what they change, you must configure session state. Session state can be saved
in process or on a server.
Pages and Controls:
IIS 7.0 lets you configure the following ASP.NET page and user controls settings:
• Behavior settings: for example, whether the Web page maintains its view state
and the view state of any server controls it contains when the current page
request ends.
• General settings: for example, namespaces that are included for all pages.
• Compilation settings: for example, whether pages are compiled or interpreted.
• Services: for example, whether session state is enabled.

Question: How might a shopping cart application use state information?

Configuring ASP.NET Connection Strings and Providers
Key Points
A connection string provides the information that an application or provider must
have to communicate with a particular database. A connection string usually
supplies the server or location of the database server, the particular database to
use, and the authentication information. If you use a connection string, this
enables you to connect to databases from managed code applications in a
centralized manner.
ASP.NET 2.0 includes several services that store state in a database or other data
store. A provider is a software module that implements a uniform interface
between one of these services and a data source. In IIS 7.0, you can set the default
provider for your application. You can also configure the provider properties. For
example, Users is a provider-based feature where one provider stores the user data
in SQL whereas another provider stores the user data in a text file.
Question: How do you use database servers in your current Web application
deployments?

Configuring ASP.NET Application Settings and Machine Key
Key Points
Configure application settings when you want to store key/value pairs as part of
your configuration in the Web.config file. Application settings provide a quick and
easy to access area to store configuration data for your application.
Machine keys help protect Forms authentication cookie data and page-level view
state data. They also verify out-of-process session state identification. ASP.NET uses
the following types of machine keys:
• A validation key computes a Message Authentication Code (MAC) to confirm
the integrity of the data. This key is appended to either the Forms
authentication cookie or the view state for a specific page.
• A decryption key is used to encrypt and decrypt Forms authentication tickets
and view state.
Question: What are some examples of Web application settings and how are they
used by the application?

Lesson 2:
Configuring ASP.NET Security
In this lesson, you will learn about securing content and your Web server through
File and Folder security. You will also learn about configuring advanced security to
reduce the attack surface of your application, adding ISAPI filters in Classic mode,
and configuring .NET trust levels.

Configuring File and Folder Security
Key Points
A virtual directory is a directory name, used in an address, which corresponds to a
physical directory on the server. You can add a virtual directory to include
directory content in a Web site or Web application without needing to move the
content physically into that Web site or Web application directory. When an
application uses content from a virtual directory, whether local or on a remote file
share, you must configure that directory's security to allow the application pool
identity read and/or write access.
In addition, any other resources that your application needs to access or modify
must be configured to allow the appropriate permissions.
Question: What is an ACL?

Configuring Advanced Security
Key Points
You can improve server security by reducing the number of attack points. This
means only installing what you need and disabling any unnecessary functionality.
Question: When would you configure authentication to apply to multiple content

types?

Adding ISAPI Filters
Key Points
Internet Server Application Programming Interface (ISAPI) filters are programs that
you can add to IIS to enhance Web server behavior. ISAPI filters receive every
HTTP request made to the Web server to provide additional functionality for the
server, such as logging request information, authenticating and authorizing users,
rewriting URLs, and compressing Web content to reduce bandwidth cost.
• In IIS 7.0, modules replace ISAPI filters, but you can still add ISAPI filters if
you require the functionality that they provide.
• You can add an ISAPI filters at the server level and the site level. If you add the
ISAPI filter at the server level, the filter will intercept all requests made to the
server. If you add the ISAPI filter to a specific site, the filter will intercept all
requests made to that site.
Question: How are you using ISAPI filters in your organizations applications
today?

Configuring .NET Trust Levels
Key Points
An application's trust level determines the permissions that are granted by the
ASP.NET code access security (CAS) policy. CAS defines two trust categories: full
trust and partial trust. An application that has full trust permissions can access all
resource types on a server and perform privileged operations. Applications with
full trust are affected only by the security settings of the operating system.
Question: When might you change the .NET trust level of an application?

Lab: Configuring IIS 7.0 Application Settings

Lab Review

Review Questions
1. How can you improve the user experience when a problem is encountered?
2. What are application settings and how are they used?
3. If an application is completely self-contained and does not need to access
external information, what is the best setting for its .NET trust level?

Configuring IIS 7.0 Modules 4-1
Module 4
Configuring IIS 7.0 Modules
Contents:
Lesson 1: An Overview of IIS 7.0 Modules 4-3
Lesson 2: Reviewing Native Module Functionality 4-8
Lesson 3: Configuring Native Modules 4-12
Lesson 4: Configuring Managed Modules 4-20
Lab: Configuring and Editing IIS 7.0 Modules 4-26

Module Overview
IIS 7.0's Web-server feature set is componentized into more than thirty
independent modules. A module is either a Win32 DLL (native module) or a .NET
2.0 type contained within an assembly (managed module). Similar to a Lego set,
modules are added to the server in order to provide the desired functionality for
your applications. Likewise, all IIS modules can be removed, or replaced with
custom modules developed using the new IIS 7.0 C++ APIs, or the familiar
ASP.NET 2.0 APIs.

Lesson 1
An Overview of IIS 7.0 Modules
IIS 7.0 provides significant enhancements over IIS 6.0 in many areas, particularly
in regards to customization and modularity. The modular nature of IIS 7.0 offers
many administrative advantages, including increased security, expandability, and
customization.

Reviewing IIS 6.0 Request Processing
Key Points
• IIS 6.0 features a monolithic implementation which forces the administrator to
install all or nothing.
• IIS 6.0 extends server functionality only through ISAPI, which restricts
expandability.
Question: Have you encountered any limitations with IIS 6.0 where you expect
improvement by deploying IIS 7.0.

Reviewing IIS 7.0 Request Processing
Key Points
• The server functionality is split into about many modules
• The request-processing architecture consists of a list of modules that perform
specific tasks in response to requests.
• You can manage all of the modules in one location, instead of managing some
features within IIS and some in the ASP.NET configuration.
Question: Which modules do you think pose the greatest security risk and you
would most likely not deploy in your organization.

Comparing IIS 7.0 Modules with ISAPI Filters
Key Points
• Internet Server Application Programming Interface (ISAPI) filters are programs
that you can add to IIS to enhance Web server behavior.
• In IIS 7.0, modules replace ISAPI filters, but you can still add ISAPI filters if
you require the functionality that they provide.

Comparing Handlers with Modules
Key Point
• Modules process parts of a request to provide a desired service, such as
authentication or compression.
• Typically, modules do not generate responses to clients; instead, handlers
perform this action because they are better suited for processing specific
requests for specific resources.

Lesson 2
Reviewing Native Module Functionality
Native modules are components that are built into IIS 7.0 and can be deployed,
configured, and managed to suit the needs of the individual Web site and server.

Reviewing Native Modules Registered by Default
Key Points
• A minimal number of modules are registered by default for a base
configuration of IIS 7.0.
• These modules perform basic functions like managing anonymous
authentication, serving static files, and managing basic logging.
Question: Can you imagine any scenarios where you would want to de-register any
of these basic modules.

Reviewing Native Modules not Registered by Default
Key Points
• These modules primarily manage caching and so should be deployed to
improve server performance in situations where they would match the types of
content being served.
Question: Which of these modules would be useful for Web sites that you've
deployed?

Understanding Information in applicationHost.config
Key Points
• ApplicationHost.config is the root file of the IIS 7.0 configuration system.
• It includes definitions for all:
• Sites
• Applications
• Virtual directories
• Application pools

Lesson 3
Configuring Native Modules
It is easy to manage the native modules in IIS 7.0. They can be managed by
manually editing the IIS 7.0 configuration store, by using the IIS Manager, or by
using the AppCmd.exe command line tool.

Registering a Native Module
Key Points
• In order to install a native module, it needs to be registered with the server.
• It can be registered by manually editing the applicationHost.config file, by
using the IIS Manager, or by using the AppCmd.exe command line tool.
• Typically editing the applicationHost.config file is a more reliable method, and
offers you greater control over how to register native modules.

Editing Registration for a Native Module
Key Points
• After you register a native module from this dialog box, you must also add it to
the Modules list on the Web server before the module can process requests
• In the Edit Native Module Registration dialog box, you can enter the
descriptive module name and the full path and file name of the associated .dll
file.

Configuring Native Modules with IIS Manager
Key Points
• Use the Modules feature page to manage the native modules and managed
modules.
• The Modules feature page lists all the modules currently installed on the
server.
• The information displayed includes name, code, module type, and entry type.

Using the IIS Manager to Enable a Native Module
Key Points
• After you register a native module, that module will be loaded and available in
every application pool on the server, but you must also enable it by adding it
to the list on the Modules feature page.
• Only server administrators can add native modules to the Web server.
• Native modules can be added only at the server level in IIS 7.0.

Reviewing the Native Modules Dialog Boxes
Key Points
• Use the Add Module Mapping and Edit Module Mapping dialog boxes to add
new or edit existing module mappings on the Web server.
• You can map a specific file or file name extension to a native module on the
Web server, so that when a user requests the file or a file that has the specified
extension, the module will process the request.

Removing a Native Module
Key Points
• You can un-install a native module if that module is no longer in use on the
server, or if you would like to replace it with another module.
• You can do that by removing the corresponding module entry from the
<globalModules> configuration list, and the associated entry in the <modules>
configuration list.
• You can do this by manually editing the applicationHost.config file, using the
IIS Manager, or using the AppCmd.exe command line tool.

Removing a Native Module by Editing the Config File
Key Points
• When you remove a native module from site or an application, you are
removing the associated native module from a specific application on the
server, but you are not removing the registration of the native module from the
Web server.
• Typically this is a more reliable method, and offers you greater control over
how to disable native modules.

Lesson 4
Configuring Managed Modules
A managed module does not require installation, and can be enabled directly for
each application.

Using and Installing Managed Modules
Key Points
• A managed module does not require installation, and can be enabled directly
for each application.
• Enabling a module allows it to provide its service for a particular application.
In order to enable a native module, it must first be installed on the server.
• Managed module types include built-in managed modules and user-created C#
programs.
Question: Would you find it useful in your organization to develop modules in

C#?

Configuring a Managed Module
Key Points
• IIS 7.0 includes several managed modules that process parts of requests, such
as authentication and caching.
• You can edit existing managed modules, or add new modules to extend the
functionality of the Web server.

Editing a Managed Module using the IIS Manager
Key Points
• You can use the IIS Manager to change the settings for a managed module.

Editing a Managed Module using the Command Line
Key Points
• To edit a managed module at the server level, use the following syntax:
appcmd set module /name:string /type:string /preCondition:string
• The variable name:string is the name of the managed module that you want to
edit at the server level. The variable type:string is managed type for the
module. Optionally, specify a condition or conditions under which the module
will run by including the variable preCondition:string.

Removing a Managed Module using the IIS Manager
Key Points
• You can remove a managed module from a site or application if the site or
application does not require the module for processing.
• Removing a managed module means that the module is removed from the list
of active modules; however, the code still exists on the Web server.
• You can add the module again if application requirements change.

Lab 1: Configuring and Editing Modules
Exercise 1: Configuring and Editing Native Modules

Scenario
You received a service request from the application development team specifying
the modules that are required to install, test, and run an application on the
specified Web server. To reduce the server footprint and vulnerability, you must
remove the unnecessary modules.
Exercise Overview
In this exercise, students will learn how to remove native modules from a Web
server to improve security and reduce the server footprint.
The main tasks for this exercise are as follows:
1. Start the 6427A-NYC-WEB virtual machine and log on as Administrator.
2. Backup the current Web server configuration.
3. Examine the modules currently installed on the Web server.

4. Remove the Default Document Module and the Directory Listing Module.
5. Validate that the modules have been removed and test the new server
configuration.
6. Restore the modules to the Web server configuration.
7. Validate that the modules have been restored and test the server configuration.
f Task 1: Start the 6427A-NYC-WEB virtual machine and log on as

Administrator.
f Task 2: Backup the current Web server configuration.
f Task 3: Examine the modules currently installed on the Web server.
f Task 4: Remove the Default Document Module and the Directory

Listing Module.
f Task 5: Validate that the modules have been removed and test the
new server configuration.
f Task 6: Restore the modules to the Web server configuration.
f Task 7: Validate that the modules have been restored and test the
server configuration.
Results: After this exercise, you should have successfully removed native modules from
a Web server, and then confirmed that the server operates as expected

Exercise 2: Configuring and Editing Managed Modules

Scenario
To increase throughput, it has been determined that output caching would be
beneficial on some of the applications on the Web server. You need to make sure
that the Output Cache module is installed and configured as specified in the
service request. The development team also requested the installation of a new
Managed Module that provides an additional level of logging for their application.
Exercise Overview
In this exercise, students will learn how to add new managed modules to a Web
server.
1. Install the logging managed module.
2. Confirm the installation of the logging managed module.
3. Test the Web site’s forms authentication page.
4. Examine the modules currently running on the Web server.
5. Remove the forms authentication managed module.
6. Test the new configuration.
f Task 1: Install the logging managed module.
f Task 2: Confirm the installation of the logging managed module.
f Task 3: Test the Web site’s forms authentication page.
f Task 4: Examine the modules currently running on the Web server.

f Task 5: Remove the forms authentication managed module.
f Task 6: Test the new configuration.
Results: After this exercise, you should have successfully added a managed module to
the Web server.

Review Questions
1. What typically generates the response to the client; native modules, managed
modules, ISAPI filters, or handlers?
2. Do both, native modules and managed modules need to be added to the
<globalModules> configuration section of the applicationHost.config?
3. Native module files have what type of file extension?
4. When would you use the precondition variable?
5. You need a new managed module build by the development team. What
programming language would you recommend that they use for creating the
module?

Common Issues related to a particular technology area in the module

Identify the causes for the following common issues related to a particular
technology area in the module and fill in the troubleshooting tips. For answers,
refer to relevant lessons in the module.
Issue Troubleshooting tip

If you do not see the module on the To enable the module, you must open the
Modules page, it has not been Configure Native Modules dialog box, select
enabled. the check box of the module, and then click
OK.
Real-world Issues and Scenarios

1. Trey Research wants to deploy a new Web site but they want to make it
exclusively for the use of its remote researchers. What security measures
would you put in place? Would you remove any of the native modules that are
installed by default? How would you remove the modules?
2. Deploy security and authentication on the Web server. Remove the
anonymous authentication module by editing the applicationHost.config.
Best Practices related to a particular technology area in this module

Supplement or modify the following best practices for your own work situations:
• Directly editing applicationHost.config offers greater control and is preferred
over using the IIS Manager tool. Typically this is a more reliable method, and
offers you more flexibility over how to manage and configure native modules.
• Make sure you are set up with Administrator credentials before you attempt to
uninstall a native module by removing the entries from the <globalModules>
and <modules> sections. Because the <globalModules> configuration section is
only settable at the server level, you must be an administrator to uninstall a
module.

Tools
Tool Use for Where to find it

IIS Manager • Configuring modules Administrative tools
MS Visual C# Express • Editing code for managed Free download

modules
Notepad • Editing applicationHost.config Accessories

Securing the IIS 7.0 Web Server and Web Sites 5-1
Module 5
Securing the IIS 7.0 Web Server and Web Sites
Contents:
Lesson 1: Configuring Secure Web Sites and Servers 5-3
Lesson 2: Configuring Other Aspects of Web Server Security 5-13
Lesson 3: Configuring Logging for IIS 7.0 5-22
Lab: Securing the IIS 7.0 Web Server and Web Sites 5-30

Module Overview
Web servers are often placed in a very precarious position. They are typically
public-facing servers, but they also need to maintain very tight security in order to
maintain the integrity of the server and to ensure confidence to their users.
Microsoft IIS 7.0 provides many tools and techniques for maintaining a highly
secure Web server environment.

Lesson 1
Configuring Secure Web Sites and Servers
There are many tools and techniques available for securing Web sites and servers.
These include such techniques as restricting certain IP addresses, setting up
authorization rules, and managing authentication. By using these and other
techniques, you can make sure your Web server more secure and highly available.

Managing IIS 7.0 Security
Key Points
There are many features and tools built in to IIS 7.0 that allow customizing of Web
site and server security. These tools help secure and restrict unauthorized access to
the Web sites and server.

Reviewing Features that can be used to Secure IIS
Key Points
There are many features that can be used to secure an IIS 7.0 server. Some of them
are designed as part of the IIS 7.0 system and installation process, while others
need to be manually configured and monitored by the administrator.
Question: Which of these techniques do you think will be most effective at

securing a Web server in your organization?

Managing IP and Domain Restrictions
Key Points
• IP address and domain restrictions can restrict or grant access to Web site
content based on IP addresses or domain names.
• IP address and domain restrictions can restrict or grant access to specific users
or organizations that Web site administrators deem harmful or unwanted.
Question: Do you feel that this type of security would be useful to your
organization?

Reviewing Authorization Rules
Key Points
• Authorization allows users to access Web server content, and you can
authorize it based on NTFS permissions, publishing point permissions, and
the client's IP address.
• In many cases, authorization is combined with authentication.
Question: Authorization rules may be more complex to deploy and manage. Do

you feel that this type of security would be useful to your organization?

Configuring Authorization Rules
Key Points
There is a lot of flexibility in defining authorization rules. Authorization rules can
be defined for specific verbs, specific roles, specific users, and/or specific groups.

Managing Authentication
Key Points
• IIS 7.0 may use authentication to identify users. This information can be
placed in log files or you can use it in combination with authorization plug-ins
to control content access.
• IIS 7.0 offers many different types of authentication to optimally customize the
level of security and access to Web sites.
Question: Why would you want to use authentication?

Managing Application Security
Key Points
• ISAPI and CGI restrictions are request handlers that allow dynamic content to
execute on a server.
• Allowing all unspecified extensions is a security risk, because your Web server
could become susceptible to computer viruses or worms that exploit these
technologies. To reduce this risk, as a best practice you should allow only
those specific ISAPI extensions or CGI files that you need to run on your Web
server.
Question: Do you currently support technologies like CGI or ISAP at your

organization? Do you have any security measures in place to manage these
applications?

Managing Rights and Permissions to Web Site Files
Key Points
Authentication helps you confirm the identity of users requesting access to your
Web sites. IIS 7.0 supports both challenge-based and login redirection-based
authentication methods.
Question: What are some scenarios where delegation and remote administration
would be useful for managing a complex Web server deployment?

Configuring Access Using Authentication
Key Points
• There are many different type of authentication available in IIS 7.0. Different
type of authentication can provide different types of Web site security.
• Only Anonymous Authentication is enabled by default.
Question: How does the processing of authorization differ from authentication?

Lesson 2
Configuring Other Aspects of Web Server
Security
There are additional tools and techniques that can be managed to enhance Web
server security. Certificates are a key component of creating a trusted relationship
between the Web client and the Web server.

Reviewing Certificates
Key Points
• Web server certificates protect Internet communication by establishing a trust
relationship between the Web client and Web server.
• You can obtain certificates from a mutually trusted third-party organization
called a certification authority. Server certificates provide a way for users to
confirm the identity of your Web site before they transmit personal
information, such as a credit card number.
Question: Name some common scenarios that use certificates and SSL-encrypted
connections?

Managing Certificates to Secure Web Servers
Key Points
Renewing expired certificates is easy. There are several tools and wizards available
in IIS 7.0 for managing certificates.
Question: Do you currently use Web server certificates? Do you plan on deploying
them in the future for new projects?

Managing Certificates to Secure Web Sites
Key Points
Adding security certificates to Web sites is very easy. There are several tools and
wizards available in IIS 7.0 for managing certificates.
Question: Can any of your Web sites benefit from the addition of security
certificates?

Managing Request Filtering
Key Points
• URLScan was a security tool that was provided as an add-on to earlier versions
of IIS so administrators could enforce tighter security polices on their Web
servers.
• There are many different filters that can be deployed when managing Request
Filtering.
Question: What aspects of attacks, malware, viruses and worms can be stopped
by implementing aspects of Request Filtering?

Minimizing the Modules to Secure the Web Server
Key Points
• IIS 7.0 features a completely modular Web server infrastructure where only
the bare minimum number of components are installed and enabled by
default.
• This has a lot of benefits since administrators can choose exactly what they
want to install. With fewer components installed, there is a much smaller
surface area available to attackers and there are fewer things to manage and
maintain.
Question: What unnecessary modules or features are usually running on badly

managed Web servers?

Using RPC over HTTPS
Key Points
RPC over HTTPS to provide an easy and secure method of connecting a Microsoft
Outlook client to a Microsoft Exchange server. You can configure user accounts in
Outlook to connect to an Exchange Server over the Internet without the need to
use VPN connections.
Question: Do you currently use RCP over HTTPS for Outlook/Exchange

Connectivity? Do you have any other software or systems that might benefit from
using RCP over HTTPS?

Permitting a User or Group to Connect to a Site
Key Points
Permit a Windows user to connect to a site or an application when you want to let
the user configure delegated features in that Web site or application using IIS
Manager. You can either permit a specific Windows user, or specify a Windows
group so that users of that group can connect to the site or application.

Defining ISAPI and CGI Application Restrictions
Key Points
• ISAPI and CGI restrictions are request handlers that allow dynamic content to
execute on a server.
• These restrictions are either CGI files (.exe) or ISAPI extensions (.dll).

Lesson 3
Configuring Logging for IIS 7.0
Effective monitoring and auditing of Web server logs is necessary for maintaining
useful and stable Web sites. The logging options in IIS 7.0 are highly configurable.

Logging Operations Overview
Key Points
• You can collect information about user activity by enabling logging for your
Web sites and servers.
• Logging information in IIS 7.0 goes beyond the scope of the simple event
logging or performance monitoring features in Microsoft Windows.
• The logs can include information such as who has visited your site, what the
visitor viewed, and when the information was last viewed.
Question: How have you used Web site logging in the past?

Managing Logging to Secure Web Sites and Servers
Key Points
• Logging can help secure Web sites and servers. You can collect information
about user activity by enabling logging for your Web sites.
• The logs can include information such as who has visited your site, what the
visitor viewed, and when the information was last viewed. You can use these
Web logs to assess content popularity or to identify information bottlenecks.
Question: Do you currently audit your Web logs for unauthorized and possibly
harmful Web site requests?

Reviewing Information Available to Log
Key Points
• Logging options are very customizable in IIS 7.0. There are many fields and
information that can be integrated into the Web site log files.
• Effective use of the Logging Options all you to build comprehensive Web logs
that are manageable in size.
Question: What fields might be most useful in reviewing Web site logs?

Configuring Logging for Web Sites and Applications
Key Points
• There are many different formats, encoding, and options for Web site logging.
• The default logging method for IIS 7.0, the W3C Extended Log File Format is
a standard defined by the World Wide Web Consortium. This logging format
can divulge a large amount of information on the activity of your IIS server,
and IIS lets you drill down to select which options you want to log.
Question: What type of log file rollover setting might be most useful in your
organization?

Viewing IIS 7.0 Logs Using the IIS Manager
Key Points
• The View Log Files option opens the log file directory.
• The View Log Files option may be unavailable. If it is not available, you can use
Notepad or a third-party product to view the logs.
Question: What third-party applications can you use for analyzing Web site log
files?

Monitoring and Auditing IIS 7.0 Logs
Key Points
• You can use the logs to assess content popularity of certain Web site pages or
files. You can also identify information bottlenecks.
• You can use security auditing techniques to track the activities of users and to
detect unauthorized attempts to access your NTFS file system directories and
files.

Reviewing Best Practices for Maintaining IIS Logs
Key Points
• It is important to maintain good practices when managing and review your
Web log files.
• Locate the log file on a secure, reliable drive and should be stored in a
directory other than systemroot.
• Maintain a reliable corporate policy on log file retention.
• Monitor and manage the maximum number of log files to keep and the
maximum size of the log files.
• Find and secure access to obsolete files.
Question: Do you know of any other good practices in managing and monitoring
Web site logs?

Lab 1: Securing IIS 7.0 Web Server and Web

Sites
Exercise 1: Configure a Secure Web Server

Scenario
Additional security measures need to be put in place to protect the Web server.
These measures will protect the Web server against unauthorized access by specific
IP addresses and domains.
Additional ISAPI and CGI restrictions need to be put into place. Then you are given
a list of accounts authorized for a specific site. You must give separate access to the
IT Admin group and the developer, Herbert Dorner.
1. Start the 6427K-NYC-DC1 virtual machine and log on as Administrator.
2. Start the 6427K-NYC-WEB virtual machine and log on as Administrator
3. Create a self-signed server certificate for the Web server.

4. Block IP addresses as specified in the service request.

5. Examine the current ISAPI and CGI Restrictions.
6. Install the .NET Framework 1.1.
7. Set ISAPI and CGI restrictions to use ASP.NET version 1.1.
8. Set the rights and permissions for Active Directory users.
9. Test and validate the new configuration.
f Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as

Administrator

Administrator
f Task 3: Create a self-signed server certificate for the Web server
f Task 4: Block IP addresses as specified in the Service Request
f Task 5: Examine the current ISAPI and CGI Restrictions
f Task 6: Install the .NET Framework 1.1
f Task 7: Set ISAPI and CGI restrictions to use ASP.NET version 1.1

f Task 8: Set the rights and permissions for Active Directory users
f Task 9: Test and validate the new configuration
Results: After this exercise, you should have successfully set IP restrictions, ISAPI and
CGI restrictions, and Active Directory permissions, as specified in a service request
document

Exercise 2: Configure Authorization, Authentication and

Access
Scenario
Additional security measures need to be put in place to protect the Web server. An
application is protected with forms authentication, but it is discovered that some of
the content can bypass forms authentication and still be accessed, such as a jpg, by
entering the direct URL path and file name. You must configure the protected
content to use the managed forms authentication module.
1. Turn off the Web site cache for the shared documents folder.
2. Sign into the Woodgrove Bank Web site and retrieve the confidential memo.
3. Bypass the Web site forms authentication.
4. Modify the applicationHost.config file to handle forms authentication.
5. Reconfigure the authorization and authentication so that the protected content
uses forms authentication.
6. Test and validate the Web site’s new configuration
f Task 1: Turn off the Web site cache for the shared documents folder
f Task 2: Sign into the Woodgrove Bank Web site and retrieve the
confidential memo
f Task 3: Bypass the Web site forms authentication
f Task 4: Modify the applicationHost.config file to handle forms

authentication

f Task 5: Reconfigure the authorization and authentication so that the

protected content uses forms authentication
f Task 6: Test and validate the Web site’s new configuration
Results: After reconfigure the Web site’s authorization and authentication, so that all
content uses forms authentication and thereby protecting the confidential memo, the
only way to obtain the memo is by having the correct credentials.

Exercise 3: Configure Logging

Scenario
Additional security measures need to be put in place to protect the Web server.
You received a service request to keep a log of all visitors to the Web server for the
past 24 hours. You must enable and configure logging and then test and verify the
log.
1. Examine and configure logging options.
2. Test the logging operations.
f Task 1: Examine and configure logging options
f Task 2: Test the logging operations
Results: After examining the configuration of the Web server’s logging settings, the
current log file was examined and proven to successfully track the Web server’s
activity.

Review Questions
1. After reviewing your Web server logs you notice some suspicious requests
employing non-ASCII characters. What security feature could you employ in
response to this particularly hazard?
2. Which user is assigned access to files when you allow anonymous access?
3. A developer wants to deploy an application, authenticating users using the
new Passport system. Which Authentication method would you recommend?
4. A developer wants to add a shopping component to a Web site. What would
you do to ensure confidence and security for users to enter their credit card
numbers into a Web form?

Common Issues related to a particular technology area in the module


Anonymous users gaining access to Check to make sure that Anonymous
protected content Authentication is set to Disabled.
Active Server Pages not running Check to make sure that ASP content is
activated in the ISAPI and CGI restrictions.

1. The intranet server for Humongous Insurance hosts content that is available to
all employees. The Human Resources department has requested that addition
content needs to be added that should be viewed only by members of the
Human Resources group. What security feature could you employ in to restrict
access to this content?
Best Practices Related to Securing Web Servers and Web Sites

• Allowing all unspecified extensions is a security risk, because your Web server
could become susceptible to computer viruses or worms that exploit these
technologies. To reduce this risk, you should allow only those specific ISAPI
extensions or CGI files that you need to run on your Web server.
• The domain name restrictions rules restrict access by domain name. This rule
significantly affects server performance because it requires a DNS lookup for
every request.
• Employ minimal install to install only the bare minimum number of
components. With fewer components installed, there is a much smaller surface
area available to attackers and there are fewer things to manage and maintain.
• Deploy HTTP request filtering to monitor all incoming URLs and suppress
certain strings before they were processed. This allows Web server
administrators to do things like block certain executables, create hidden
directories unreachable with HTTP, and set limits for connections, among
others.

• Restrict directory browsing to prevent snooping of your Web server content.

• Locate the log file on a secure, reliable drive and should be stored in a
directory other than systemroot.
• Monitor and manage the maximum number of log files to keep and the
maximum size of the log files.
Tools

IIS Manager • Editing security configuration Administrative Tools
Notepad • Editing config files Accessories
Notepad • Viewing log files Accessories

Configuring Delegation and Remote Administration 6-1
Module 6
Configuring Delegation and Remote
Administration
Contents:
Lesson 1: Configuring Remote Administration 6-3
Lesson 2: Configuring Delegated Administration 6-13
Lesson 3: Configuring Feature Delegation 6-17
Lab: Configuring Delegation and Remote Administration 6-25

Module Overview
This module helps students to use the delegated rights assignment system and the
remote administration system in IIS 7.0. Students will assign rights to Web sites to
users and configure users to serve as remote administrators of a server and its
corresponding Web sites.

Lesson 1
Configuring Remote Administration
The IIS 7.0 remote administration service uses the HTTPS protocol to allow remote
Web server administration. This lesson focuses on configuring the Remote
Administration service.

Delegation Overview
Key Points
IIS 7.0 delegated administration is useful in a multiple scenarios, including the
following:
• You are a server administrator and you are not the primary person providing
content on your server.
• You are a developer and you want your server administrator to give you more
control over IIS configuration for your application.
IIS7 feature delegation means:

• Managing the set of site and application users that are permitted to use IIS
Manager to view configuration and set configuration for features with
unlocked configuration sections.

Question: In your work environment, what scenarios would benefit from

delegated administration?

Remote Administration Overview
Key Points
There are two steps for configuring remote administration:
• Specify the users that can connect to a site or application
• Configure and start the Web Management Service (WMSVC)

Remote Administration Service Settings
Key Points
The Management Service enables computer and domain administrators to
remotely manage a Web server that uses IIS Manager.
The service also enables delegated administrators to locally and remotely manage
delegated features of Web sites and Web applications on the Web server that uses
IIS Manager.

Remote Administration Connection Settings
Key Points
The Remote Administration Connection Settings are highly configurable and
customizable to create a best fit for your organization.
The Remote Administration Connection Settings available for configuration
include:
• IP Address
• Port
• SSL Certificate
• Log Requests to
Question: What benefits and drawbacks are experienced when using a self-signed
certificate?

Configure Remote Administration for IIS Server
Key Points
It's easy to configure Remote Administration for IIS.
Configuring Remote Administration for IIS includes the following steps:
1. Install the Web Management Service (WMSVC)
2. Enable remote connections
3. Optionally set other configuration.
4. Start WMSVC, and optionally change the service Startup Type from Manual to
Automatic
5. Configure Identity Credentials
6. Configuring Users and Permissions for IIS Manager

7. Create an IIS Manager User

8. Configure IIS Manager Permissions for the Site
9. Configure Access Control Lists for Content Directories
10. Connect to a Site or an Application in IIS Manager

HTTP with SSL vs. DCOM for Remote Administration
Key Points
The IIS 7.0 Remote Administration tool uses HTTP with the SSL protocol and
offers the following advantages:
• Administrators can manage the entire Web server
• Administrators have almost the same experience as local use of the IIS
Manager tool.
• Both Administrators and non-administrators can use the tool.
• Windows User accounts and IIS Manager User accounts can be delegated
permission.
• The server Administrator decides what non-administrators can view and
change through Feature Delegation.
• The IIS 7.0 Remote Administration tool uses HTTPS which is a secure firewall
friendly protocol which requires opening only one port on a firewall to permit
inbound access to the tool.

Question: What configuration is necessary to permit HTTPS traffic through a

firewall?

Lesson 2
Configuring Delegated Administration
IIS 7.0 distributes its configuration data among several XML files. This allows
considerable flexibility in configuring individual sites or applications. The IIS 7.0
distributed configuration system also makes it possible to delegate administrative
access to individual Web sites or applications. This lesson focuses on how the IIS
7.0 distributed configuration system is used to delegate Web site or application
configuration.

Distributed Configuration System Overview
Key Points
The IIS 7.0 configuration system uses the following files:
• A central configuration file named applicationHost.config that is located in
%WINDIR%\System32\InetSrv\Config\.
• Several Web.config files can appear at any level of the URL hierarchy.
• The machine.config file defines the properties that are required for all
ASP.NET Framework features.
• Configuration file settings inherit from parent to child file from machine.config
down to the last Web.config file (if any) and the effective configuration is
calculated for a given path. Any setting at a lower level in the hierarchy will
override a parent setting defined in a file above the current level.

Hierarchy of Configuration Files
Key Points
There are three key files that control the operation of IIS 7.0.
• The first file is machine.config. This file contains the .NET Framework
settings for the server. In Windows Vista and Windows Server 2008, this file
contains all the global settings for .NET-related components and features.
• The applicationHost.config file contains settings for IIS and other services
that have settings in common with IIS.
• The next file in the hierarchy is the root Web.config file, which defines the
global settings for properties defined for all ASP.NET Web applications. This
file exists for each version of the .NET Framework installed on the server
• There may be optional Web.config files in the root of the Web content
directories which control the behavior of that site.

How to Delegate Administrative Rights
Key Points
The process of delegating administrative rights includes the following tasks:
1. Add site administrators to a site, and add application administrators to an
application.
2. Configure the delegation state of site and application features for site and
application administrators to view and configure.
3. Configure connection settings and enable remote management.

Lesson 3
Configuring Feature Delegation
IIS 7.0 can delegate permission in a granular fashion. By using feature delegation,
server administrators can determine which features can be modified by site or
application administrators. This lesson focuses on using feature delegation.

Feature Delegation in IIS 7.0
Key Points
IIS 7.0 feature delegation has the following characteristics:
• The server administrator decides which features non-administrators can view
and change.
• Features which are not delegated are not visible in the UI at site or application
levels.
• Feature delegation works by locking or unlocking configuration sections.

Feature Delegation Options
Key Points
The server administrator can configure individual features with the following
states:
Read/Write: When you select Read/Write for a feature, you unlock the feature's
related configuration section(s) in ApplicationHost.config.
Read Only: When you select Read Only for a feature, you lock the feature's related
configuration section(s) in ApplicationHost.config.
Remove Delegation: When you select Remove Delegation for a feature, you lock
the feature's related configuration section(s) in ApplicationHost.config.
Reset to Inherited: When you select Reset to Inherited for a feature, the delegation
state for that feature is returned to its default setting.
Configuration Read/Write: When you select Configuration Read/Write for a
feature, you unlock the feature's configuration section(s) in ApplicationHost.config.
Configuration Read Only: When you select Configuration Read Only for a feature,
you lock the feature's configuration section(s) in ApplicationHost.config.

Question: What are some scenarios when Configuration Read/Write would be

used instead of Read/Write?

Default Feature Delegation Settings
Key Points
The default feature delegation settings were created with the best practices in
mind.

How to Configure Feature Delegation in IIS 7.0
Key Points
Configuring feature delegation in IIS 7.0 includes the following steps:
1. Open IIS Manager (Start, Run, type inetmgr.exe) and click on the connection
to the local server in the treeview on the left-hand side.
2. Scroll down the feature list, find Feature Delegation, and double-click to open.
3. Click on a feature to set the delegation options in the task pane on the right.

Feature Delegation with Remote Management
Key Points
Feature delegation is a useful tool for allowing non-administrators to manage
discrete components of a Web site.
Using feature delegation and remote management together includes the following
steps:
1. Set the desired feature delegation settings.
2. Specify the users that can connect to a site or application.
3. Install the Web Management Service.
4. Configure and Enable remote management.
5. Start the Web Management Service.
6. Test the configuration by connecting from a remote machine.

Best Practices for Feature Delegation
Key Points
It is important to maintain good practices when deploying feature delegation.
Best practices for feature delegation include:
• Back up configuration files before modifying them.
• Give only the needed level of access.
• Don’t change the system account.
• Don't make delegation more restrictive after initial configuration.
Question: Why is delegating only the needed level of access recommended?

Lab 1: Configuring Delegation and Remote

Administration
Exercise 1: Configuring Remote Administration

Scenario
You need to be able to configure the server remotely. You must enable remote
administration and then test it by accessing the administration features from a
remote computer.
A new site has been set up and you have been asked to delegate the administration
of the site to the business owner. You will need to give the business owner
permission to administer their site only, but not the other sites hosted on the
server
You have been assigned a service request to allow all site owners to administer the
error messages for their site. You must unlock the error page feature so that it can
be delegated.
In this exercise you will practice configuring a Web server for remote
administration.

This exercise’s main tasks are:

1. Configure NYC-WEB for remote administration.
2. Test NYC-WEB remote administration.
f Task 1: Configure NYC-WEB for remote administration.

• Add the IIS Management role service to NYC-WEB-01.
• Configure the IIS Management service to accept both Windows Credentials
and IIS Manager Credentials.
• Start the IIS Management service.
f Task 2: Test NYC-WEB remote administration.

• On NYC-DC-01, add the IIS Management Console.
• On NYC-DC-01, use the IIS Management Console to connect to NYC-WEB.
• On the NYC-WEB Default Web Site, set index.htm at the first default
document.
Results: After completing this exercise, you should have configured the IIS
Management Service to accept remote connections and you should have tested a
remote connection from NYC-DC-01.

Exercise 2: Configuring Delegated Administration

Scenario
remote computer.
server
be delegated.
In this exercise you will practice delegating administration of two Web sites to the
appropriate business owners.
1. Configure delegated administration for the Human Resources site.
2. Configure delegated administration for the Sales site.
3. Test delegated administration for the Human Resources and Sales sites.
f Task 1: Configure delegated administration for the Human Resources

site.
• On NYC-WEB, share E:\WoodgroveHRSite.
• Grant Co-owner access to kabercrombie@woodgrovebank.com.
• In IIS Manager, grant the Windows user kabercrombie@woodgrovebank.com
access to the HR site.

f Task 2: Configure delegated administration for the Sales site.

• On NYC-WEB, share E:\WoodgroveSalesSite.
• Grant Co-owner access to jhay@woodgrovebank.com.
• Allow configuration override for the authentication section of
applicationHost.config.
• Use notepad to open
C:\windows\system\intesrv\config\applicationhost.config.
• remove the following text:
<anonymousAuthentication enabled="true" userName="IUSR" />

<basicAuthentication />
<clientCertificateMappingAuthentication />
<digestAuthentication />
<iisClientCertificateMappingAuthentication
• insert the following text on the line before </configuration>:
<location overrideMode="Allow">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" />
<basicAuthentication />
<clientCertificateMappingAuthentication />
<digestAuthentication />
<iisClientCertificateMappingAuthentication />
<windowsAuthentication />
</authentication>
</security>
</system.webServer>
</location>
• Save changes to the applicationHost.config file.

f Task 3: Test delegated administration for the Human Resources and

Sales sites.
• On NYC-DC-01, log in as kabercrombie@woodgrovebank.com with a
password of Pa$$w0rd.
• Use IIS Manager to connect to the HR site on NYC-WEB. Use the
kabercrombie@woodgrovebank.com account.
• Use IIS Manager to connect to the Sales site on NYC-WEB. Use the
kabercrombie@woodgrovebank.com account.
Question: Why does an error occur?
• Log in to NYC-DC-01 as jhay@woodgrovebank.com with a password of

Pa$$w0rd.
• Disable Windows authentication and anonymous authentication in the
Web.config file for the Sales site.
• Use notepad to open \\NYC-WEB\WoodgroveSalesSite\Web.Config.
• insert the following text on the line before </configuration>:
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled=”false” />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
• Save changes to the Web.config file.

• Use Internet Explorer to access http://sales.woodgrovebank.com.
Question: Why does the server report a 401 error?
• Attempt to configure \\NYC-WEB\WoodgroveHRSite\Web.Config.
Results: After completing this exercise, you should have successfully delegated
administration for the Human Resources Web site to Kim Abercrombie and delegated
administration for the Sales Web site to Jim Hay.

Exercise 3: Configuring Feature Delegation

Scenario
remote computer.
server
be delegated.
In this exercise you will practice configuring delegated administration so that all
site owners can administer the error messages for their site.
1. Configure feature delegation for the Human Resources and Sales sites.
2. Test feature delegation for the Human Resources site.
f Task 1: Configure feature delegation for the Human Resources and

Sales sites.
• On NYC-WEB, use feature delegation to set Error Pages to Read/Write.
f Task 2: Test feature delegation for the Human Resources site.

• On NYC-DC-01, log in as kabercrombie@contoso.com with a password of
Pa$$w0rd.
• Use IIS Manager to connect to the HR site on NYC-WEB.
• Set a custom error page of /ErrorPages/custom404.htm for the 404 error page.
Results: After completing this exercise, you should have successfully configured
the Human Resources and Sales sites so that the site owners can customize error
pages for each site.

Review Questions
1. What are the steps in configuring the Web management service?
2. What files are involved in delegated administration?
3. What are some best practices for feature delegation?

Common Issues related to configuring feature delegation and remote

administration.
Identify the causes for the following common issues related to configuring feature
delegation and remote administration and fill in the troubleshooting tips. For
answers, refer to relevant lessons in the module.
Self-signed certificates Self-signed certificates usually produce a non-

critical error because they are not issued by a
certification authority that is recognized by the
remote client.
Firewall ports The remote management service uses TCP port

8172 by default. Even though HTTPS is the
protocol used for remote management, any
firewalls between the Web server and the remote
administrator will need to permit port 8172, or
the port configured in the remote management
settings.
File permissions on Web.config Delegated administrations must be able to modify

the Web.config file for their Web site or
application.
Configuration file conflicts Configuration file settings inherit from parent to

child file from machine.config down to the last
Web.config file (if any) and the effective
configuration is calculated for a given path. Any
setting at a lower level in the hierarchy will
override a parent setting defined in a file above
the current level.

1. A hosting provider wants to delegate site management to each customer for
that customer’s site.
2. A corporate Web server hosts multiple departmental sites. The server
administrator wants to delegate limited access to departmental site managers.
What access should be delegated? What access should not be delegated? What
are the access requirements in your environment?

Best Practices related to configuring feature delegation and remote

administration.
• Back up configuration files before modifying them.
• Give only the needed level of access.
• Don’t change the system account.
• Don't make delegation more restrictive after initial configuration.

Using Command-line and Scripting for IIS 7.0 Administration 7-1
Module 7
Using Command-line and Scripting for IIS 7.0
Administration
Contents:
Lesson 1: Tools for Running Administrative Tasks in IIS 7-3
Lesson 2: Executing Scripts for Administrative Tasks 7-9
Lesson 3: Managing IIS Tasks 7-16
Lab: Using Command-line and Scripting for IIS 7.0 Administration 7-24

Module Overview
This module helps you to use command-line and scripting for IIS 7.0
Administration.
After completing this module, you will be able to:
• Use PowerShell for IIS 7.0 administration.
• Extend PowerShell with scripts.
• Run a script using PowerShell.
• Use Microsoft.Web.Administration for IIS 7.0 administration.
• Perform AppCmd tasks for IIS 7.0
• Use WMI objects to perform administrative tasks.

Lesson 1
Tools for Running Administrative Tasks in IIS
This lesson will provide some introductory information for command-line and
scripting for IIS 7.0 administration. The new tools for use with IIS 7.0 will be
explained and the benefits highlighted.

IIS 7.0 Management
Key Points
New administration tools for IIS 7.0:
• IIS Manager – Feature-focused administration tool with dialogs for common
administrative tasks.
• PowerShell – New command-line administration tool that can use WMI
provider and .NET API.
• AppCmd – For use specifically for IIS 7.0 administration.
Question: When would you choose to use command-line tools instead of the IIS
Manager?

PowerShell Overview
Key Points
Windows PowerShell is a new tool to perform command-line administration.
• Object-Oriented Data Handling - PowerShell, based on the .NET Framework
platform, provides a powerful object-model command-line environment.
• Namespaces - As a WMI interface provider, scripting in PowerShell can
significantly shorten the amount of time required to do repetitive maintenance
and management.
• Pipelining - You can pipe the output from one command as the input into
another command.
• Transparent access to the commands is available through the Command
Prompt.
• Trusted Scripts - As an option, all scripts may be required to be digitally signed
before they are allowed to run.

Benefits of Using PowerShell
Key Points
PowerShell is a command-line tool like cmd.exe, except it is more powerful. The
improvements over cmd.exe make PowerShell a better choice for IIS 7.0
administration.
Question: Do you use cmd.exe in your current deployment?
Question: What are some advantages to using PowerShell instead of cmd.exe?

Benefits of Using Microsoft.Web.Administration APIs
Key Points
• The Microsoft.Web.Administration provides a programmatic way to access and
update the Web server configuration and administration information.
• The Microsoft.Web.Administration.dll is an easy way for users to tweak
settings on the server.
• The MWA API would be used when you wanted to write a program in
managed code (C#, VB etc) to configure the server in a particular manner in
order. This API can be used from PowerShell.

Benefits of Using AppCmd.exe and Command-line Scripts
Key Points
AppCmd.exe is the single command line tool for managing IIS 7.0. It exposes all
key server management functionality through a set of intuitive management objects
that can be manipulated from the command line or from scripts. AppCmd enables
you to easily control the server without using a graphical administration tool and
to quickly automate server management tasks without writing code.
Question: How does administration with AppCmd.exe differ from IIS Manager?

Lesson 2
Executing Scripts for Administrative Tasks
This lesson will explain how to use scripting for IIS 7.0 administrative tasks.
Sample scripts will be examined; as well, as techniques for writing scripts.

Using Scripts for Administrative Tasks
Key Points
• Ways to use scripts for IIS 7.0 administration include PowerShell scripts,
PowerShell Command-lets, AppCmd.exe scripts and through the use of the
Microsoft.Web.Administration API.
• The AppCmd.exe command line is built on top of a set of top level server
management objects, such as Site and Application. These objects expose
methods that can be used to perform various actions on those objects, and
object instances expose properties that can be inspected and manipulated.

Using PowerShell Scripts for Administrative Tasks
Key Points
• The net effect of this example script will be to copy all files listed in file
AppManifest.txt, located on machine DemoServer1, to all the machines listed
in file RestOfFarm.txt.
• The script uses the get-content cmdlet to read machine names from file
RestOfFarm.txt and file names from file AppManifest.txt.
• The foreach loop: The outer loop iterates through each machine name stored
in variable $farmList, storing each name into variable $targetMachine in turn.
The inner loop is similar and stores each file into $file in turn.
• The join-path cmdlet is used to intelligently concatenate strings to produce
complete source and destination paths.
• Finally the copy-item cmdlet is used to perform the copy actions, where the -
recurse switch will copy all sub-directories and the -force switch causes
existing files to be overwritten. Notice this script has all information about
source and destination locations hard-coded into the script.

Question: If you are familiar with Visual Basic, how would this code translate to
Visual Basic?
Question: In a production environment, would you want to hard code the source
and destination location into the script?

Writing PowerShell Command-lets for IIS 7.0
Key Points
Windows PowerShell supports cmdlets that are derived from two different base
classes:
• Most cmdlets are based on .NET classes that derive from the Cmdlet base
class.
• More complex cmdlets are based on .NET classes that derive from the
PSCmdlet base class.
Question: If you were writing a cmdlet that created an application pool, what
would you name the cmdlet?

Using AppCmd and Command-line Scripts
Key Points
Before you can serve a single request from your IIS7 server, you need to create a set
of configuration that describes how the server listens for requests, and how these
requests are then dispatched to your scripts or static files. To do this, you need to
at minimum create a site, an application, a virtual directory, and an application
pool.

Accessing Microsoft.Web.Administration in PowerShell
Key Points
Microsoft.Web.Administration.dll can be loaded into PowerShell and then used to
view information such as Web site names.

Lesson 3
Managing IIS Tasks
This lesson will go into detail of how to use PowerShell, AppCmd, WMI and MWA
to perform IIS 7.0 administrative tasks.

How to use AppCmd: <COMMAND> Options
Key Points
• In IIS 6.0 several of administrative tasks were performed using several
scattered VBS script files. This made it difficult to find out what script needed
to be run. IIS 7.0 is powered with AppCmd.exe which provides all the options
you need to administer IIS 7.0.
• AppCmd works by executing a command on one of the supported
management objects, with optional parameters used to further customize the
behavior of the command:
APPCMD.EXE <COMMAND> <OBJECT> <ID> [ /parameter:value ]*
Question: Do you have any administrative tasks for IIS 6.0 in your organization
that requires the use of more than one script?

How to use AppCmd: <OBJECT> Options
Key Points
• An object will often support additional commands, such as START and STOP
for the Site object.
• <OBJECT> is the one of the management objects supported by the tool.

Using AppCmd to Manage IIS 7.0 Tasks
Key Points
AppCmd can be used for commonly performed tasks, such as creating backups,
viewing a Web site's configuration, or starting Web sites.
Question: Can you think of a situation where AppCmd would be useful in your
organization?

Automating Tasks using Scripts
Key Points
You can use PowerShell scripts to automate tasks. These tasks can be set to start
with any number of triggered events such as a disk failure or a scheduled time.

PowerShell Command-lets for IIS 7.0
Key Points
Built-in PowerShell cmdlets provide easy access to commonly performed tasks.

Using PowerShell to Manage IIS 7.0 Tasks
Key Points
• PowerShell can extract specify information.
• You can format your output to meet your needs.
• Piping with PowerShell cmdlets allows you to input the result of one cmdlet
into another.
Question: What is the advantage of piping commands with PowerShell?

Using WMI Provider to Manage IIS 7.0 Tasks
Key Points
WMI scripting lets you manage worker processes and application domains
(AppDomains) in IIS 7.0.

Lab: Using Command-Line and Scripting for

IIS 7.0 Administration
Exercise 1: Manage IIS Web Sites with PowerShell

Scenario
The development team requires additional tools to manage their Web sites. First
you need to make sure that PowerShell with correctly manage the server’s services
and make sure it can successfully stop and start the Web service.
In this exercise, you will learn how to use PowerShell to manage IIS 7.0.The main
tasks for this exercise are as follows:
1. Start the 6427A-NYC-WEB virtual machine and log on as Administrator
2. Install Windows PowerShell.
3. Use PowerShell to identify all services.
4. Use PowerShell to identify running services that start with a w.

5. Stop the w3svc service using PowerShell

6. Start the w3svc service using PowerShell.
7. List the Powershell.exe process using the get-wmiobject cmdlet.

Administrator
f Task 2: Install Windows PowerShell.

• Windows PowerShell is a feature accessed through Server Manager
f Task 3: Use PowerShell to identify all services.

• Use the get-service cmdlet
f Task 4: Use PowerShell to identify running services that start with a w.
f Task 5: Stop the w3svc service using PowerShell.

• Use the stop-service cmdlet
• Use the get-service cmdlet to confirm
f Task 6: Start the w3svc service using PowerShell.
f Task 7: List the Powershell.exe process using the get-wmiobject

cmdlet.
Results: After this exercise, you should have successfully identified, stopped and
started services using PowerShell.

Exercise 2: Use Microsoft.Web.Administration

Scenario
You need to verify that a script will effectively stop and start using MWA. Run the
script and then check to make sure that the service is stopped. Then restart the
service using the script and verify that it is started.
In this exercise, you will learn how to use MWA to execute a script.
1. Load Microsoft.Web.Administration.dll.
2. Get Web site information with MWA.
3. Create a function using MWA to find Web sites.
4. Use the findsite function to list the default Web site, the default Web site ID,
and then stop and start the default Web site.
f Task 1: Load Microsoft.Web.Administration.dll

• Open PowerShell
• Use this command:
[System.Reflection.Assembly]::LoadFrom(“C:\windows\system32\inetsrv\
Microsoft.Web.Administration.dll")
f Task 2: Get Web site information with MWA

• (New-Object Microsoft.Web.Administration.ServerManager).Sites
• (New-Object Microsoft.Web.Administration.ServerManager).Sites |
ForEach-Object {$_.Name}
f Task 3: Create a function using MWA to find Web sites

• function findsite {$name=$args[0]; ((New-Object
Microsoft.Web.Administration.ServerManager).Sites | Where-Object
{$_.Name –match $name}); }

f Task 4: Use the findsite function to list the default Web site, the
default Web site ID, and then stop and start the default Web site
Results: After this exercise, you should have successfully used

Microsoft.Web.Administration to gather Web site information and created a function
to start and stop the default Web site.

Exercise 3: Automate IIS Administration using Scripts

Scenario
The development team provided you with a script that lists Web sites on the
server. You need to test and run the script using PowerShell.
You also need to deploy several identical Web sites using the same default content
located on a share. A PowerShell script will be used to automate this task.
In this exercise, you will learn how to use a PowerShell scripts.
1. Create Microsoft.PowerShell profile script to automatically load assemblies.
2. Set execution policy to unrestricted.
3. Add a global variable to profile script.
4. List sites using global variable.
5. Use PowerShell script to find sites.
6. Review and run a script to create a Web site.
7. Use PowerShell script to verify site was created.
f Task 1: Create Microsoft.PowerShell profile script to automatically

load assemblies
• To open profile script: if (test-path $profile) {echo “Path exists.”} else {new-
item –path $profile –itemtype file –force}; notepad $profile
• Profile script:
echo “Microsoft IIS 7.0 Environment Loader”

echo “Copyright © 2006 Microsoft Corporation. All rights reserved.”
echo “ Loading IIS 7.0 Managed Assemblies”
$inetsrvDir = (join-path –path $env:windir –childPath

“\system32\inetsrv\”)
Get-ChildItem –Path (join-path –path $inetsrvDir –childPath
“Microsoft*.dll”) | ForEach-Object
{[System.Reflection.Assembly]::LoadFrom( (join-path –path
$inetsrvDir –childPath $_.Name)) }
echo “ Assemblies loaded.”

f Task 2: Set execution policy to unrestricted

• View execution policy with get-executionpolicy cmdlet
• Set execution policy with set-executionpolicy cmdlet
f Task 3: Add a global variable to profile script

• Add this line to the profile script:
new-variable iismgr –value (New-Object

Microsoft.Web.Administration.ServerManager) –scope “global”
f Task 4: List sites using global variable
f Task 5: Use PowerShell script to find sites

• Save the script located in E:\AllFiles\scripts\iis.type.ps1xml to
c:\windows\System32\WindowsPowerShell\v1.0
• Type the following at the end of the profile script
new-variable iissites –value (New-Object

Microsoft.Web.Administration.ServerManager).Sites –scope “global”
new-variable iisapppools –value (New-Object
Microsoft.Web.Administration.ServerManager).ApplicationPools –scope
“global”
update-typedata –append (join-path –path $PSHome –childPath
“iis.types.ps1xml”)
• At the PowerShell command prompt run $iissites.Find(“^Default*”)
f Task 6: Review and run a script to create a Web site

• The script is located in E:\Allfiles\Scripts\Visual Studio
2005\Projects\CreateWebsite\CreateWebsite\Bin\Debug\CreateWebsite.
exe
• Copy the script to the C:\drive and run it from PowerShell

f Task 7: Use PowerShell script to verify site was created

• Use $iissites.Find to locate NewSite
Results: After this exercise, you should have successfully created a

Microsoft.PowerShell profile script. You should have also used a saved script to list
Web site. Finally, you should have successfully created a site named NewSite.

Exercise 4: Navigating IIS tasks using WMI and AppCmd

Scenario
You need to verify which tasks are running on the server. Use WMI and AppCmd
to display the list of running tasks.
In this exercise, students will use WMI and AppCmd for IIS administration.
1. Use AppCmd to identify tasks running on the Web server.
2. Use AppCmd to identify all running application pools.
3. Use AppCmd to recycle all running application pools.
4. Move all applications in a site to NewAppPool apppool.
5. Store configuration information to file, and then restore the configuration
information.
6. Use WMI to list the default Web site on the Web server.
f Task 1: Use AppCmd to identify tasks running on the Web server

• Open a Command Prompt
• Navigate to c:\windows\system32\inetsrv to run AppCmd
f Task 2: Use AppCmd to identify all running application pools
f Task 3: Use AppCmd to recycle all running application pools

• Use this command: appcmd list apppool /xml | appcmd recyle apppool /in
f Task 4: Move all applications in a site to NewAppPool apppool

• Use this command: appcmd list app /site.name:"NewSite" /xml | appcmd
set app /in /applicationPool:NewAppPool

f Task 5: Store configuration information to file, and then restore the

configuration information
• To store configuration information: appcmd list config “Default Web Site/”
/section:caching /xml /config > config.xml
• To restore configuration information: appcmd set config “Default Web site/”
/in < config.xml
f Task 6: Use WMI to list the default Web site on the Web server
• Using Notepad create a file named GetSite.vbs with the following code:
Set oIIS = GetObject("winmgmts:root\WebAdministration")
Set oSite = oIIS.Get("Site.Name='Default Web Site'")

WScript.Echo "Retrieved an instance of Site "
WScript.Echo " Name: " & oSite.Name
WScript.Echo " ID: " & oSite.ID
• Open a Command Prompt and navigate to folder where GetSite.vbs is located

• Type cscript //h:cscript
• Run GetSite.vbs script
Results: After this exercise, you should have successfully used AppCmd to recycle
application pools, move application and store configuration information to a file. You
should have also successfully identified the default Web site using WMI.

Review Questions
1. What are the different tools available for IIS 7.0 administration?
2. How can you use scripts to simplify IIS 7.0 administration?
3. What are the benefits of PowerShell?
4. What things can you do with AppCmd.exe?
5. What is Microsoft.Web.Administration and how can it be used?
6. What are some examples of tasks you can perform using WMI?

Tuning IIS 7.0 for Improved Performance 8-1
Module 8
Tuning IIS 7.0 for Improved Performance
Contents:
Lesson 1: Implementing Best Practices for Improving IIS Performance 8-3
Lesson 2: Configuring Options to Improve IIS Performance 8-7
Lesson 3: Managing Application Pools to Improve IIS Performance 8-13
Lab: Tuning IIS 7.0 for Improved Performance 8-18

Module Overview
An important aspect of managing a Web server is implementing best practices that

ensure the best possible performance. This module briefly introduces some best
practices for improving performance in IIS 7.0. In this module, you will learn the
how to configure IIS to provide the best performance. You will also learn how to
manage applications pools to achieve performance goals.

Lesson 1:
Implementing Best Practices for Improving IIS
Performance
Before configuring performance options, it is important to understand how global

chances and local changes impact running servers, and how server consolidation
and limiting server access play an important role in maximizing resources. In this
module, you will learn about the best practices for implementing changes,
consolidating servers, and configuring limits on Web site access.

How do Global Changes Impact Running Worker

Processes?
Key Points
When a change is made at the site or application level, the changes are picked up
immediately by the Web server. Only the global changes that affect multiple sites
and applications will cause the running processes to recycle. If changes are made
in a localized scope, then the rest of the sites and applications will not be restarted.
Because of this, you should schedule global changes for off-peak times to avoid
service interruption.
Question: What are some examples of local and global changes?

Why Consolidate Server Roles?
Key Points
When you standardize on fewer physical servers, the number of machines and
complex configurations you need to manage decreases. This has two key benefits:
• Increased reliability and availability: Standardize high availability
configurations and make fewer changes.
• Improved Security: Standardizing configuration and secure management
practices improve security.
Question: How might your organization benefit by retiring or reusing older

hardware and consolidating sites?

When to Configure Web Site Limitations
Key Points
Use Web Site Limits configure performance settings for your Web site based on
bandwidth usage and connection limits. For example, by restricting either
bandwidth or the number of connections, or both, on a low-priority Web site, you
enable other, higher-priority sites to handle larger traffic loads. You can adjust
these settings as network traffic and usage changes.
Question: Why are Web site limits important when consolidating servers?

Lesson 2:
Configuring Options to Improve IIS
Performance
In this lesson, you will learn how to configure output caching and compression.
You will also learn how to install and configure Windows Server Resource
Manager, and some scenarios and best practices for configuring logging for best
performance.

Configuring Cache Settings
Key Points
In IIS 7.0, you can configure output caching to improve performance on your Web
server, site, or application. When a user requests a Web page, IIS processes the
request and returns a page to the client browser. If you enable output caching, a
copy of that processed Web page is stored in memory on the Web server and
returned to client browsers in subsequent requests for that same resource. This
eliminates the requirement to reprocess the page every time that it is requested.
This is helpful when your content relies on an external program for processing,
such as with a Common Gateway Interface (CGI) program, or includes data from
an external source, such as from a remote share or a database.
Question: What applications in your current environment could benefit from

dynamic output caching?

Guidelines for Configuring Compression
Key Points
HTTP compression lets you make more efficient use of bandwidth and enhances
the performance of sites and applications. You can configure HTTP compression
for both static and dynamic sites.
IIS provides the following compression options:
• Static files only
• Dynamic application responses only
• Both static files and dynamic application responses
Question: When would enabling dynamic compression improve the page load
time for the client?

How to Install and Configure WSRM
Key Points
Microsoft Windows System Resource Manager (WSRM) on Windows Server 2008
allows you to control how CPU and memory resources are allocated to
applications, services, and processes on the computer.
Question: How are you currently using WSRM for Windows Server 2003 in your
organization?

Configuring Logging Frequency
Key Points
Logging a lot of information about the Web server can consume resources and
disk i/o. To minimize the impact to performance:
• Log only minimal information for routine statistics
• Consider saving log files to a separate disk
• Recycle logs
• Configure Failed Request Event Tracing for exceptions
• Use FREB to capture detailed information only in exceptional situations
• Critical errors
• Unresponsive states
Question: How might the configuration of logging change over an application's

lifecycle?

Demonstration: Configuring Authentication
Question: What are some scenarios in which you might use dynamic output
caching?

Lesson 3:
Managing Application Pools to Improve IIS
Performance
Application pools allow you to apply configuration settings to groups of

applications and the worker processes that service those applications. Any Web
site, Web directory, or virtual directory can be assigned to an application pool. In
this lesson, you will learn how to manage application pools to get the best
performance from your Web server. You will also learn how to an application with
Xcopy.

Managing Application Pools
Key Points
You can configure IIS to isolate applications to separate application pools, or
consolidate them. With WSRM you can distribute the processing load.
Additionally, you can configure IIS to automatically recycle worker processes at
specified intervals or when specific resource usage thresholds are met.
Question: Why would you recycle an application pool on a specific time interval?

When to Configure Applications to Use the Same

Application Pool
Key Points
Consolidating multiple applications can significantly save resources on the server.
You might consider assigning multiple applications to an application pool when:
• The applications are known to be stable
• All use same .NET version
• The scenario does not require highest level of security
• There are tight resource constraints on the server
Isolating application to separate application pools is best when:

• The applications are new (unproven)
• There are known problem applications
• You must have sandboxed applications

• The applications use different .NET versions or are legacy apps

• There are security concerns between applications
Question: What is the default behavior for application pools when you create a
new application?

Deploying Applications and Updates with Xcopy
Key Points
Xcopy deployment describes deployment where you use the drag-and-drop feature
in Microsoft Windows Explorer, File Transfer Protocol (FTP), or the DOS Xcopy
command to copy files from one location to another. The application requires no
modifications to the registry and has no special installation requirements for the
host company on hosted sites.
Question: How would you leverage scripting in deploying applications via Xcopy?

Lab: Tuning IIS 7.0 for Improved Performance

Review Questions
1. What is the difference between compression and caching and how do they
interact?
2. What impact do the various performance settings have on CPU usage, memory
usage, disk i/o, and network bandwidth?
3. What options do you have for ensuring that an application does not
monopolize resources?

Ensuring Web Site Availability with Web Farms 9-1
Module 9
Ensuring Web Site Availability with Web Farms
Contents:
Lesson 1: Backing Up and Restoring Web Sites 9-3
Lesson 2: Introducing Shared Configurations 9-8
Lesson 3: Working with Shared Configurations 9-15
Lesson 4: Configuring Network Load Balancing for IIS 9-23
Lab: Ensuring Web Site Availability with Web Farms 9-29

Module Overview
Server farms provide an effective way of ensuring continual, reliable operation of

Web sites and large Web server infrastructures. Windows Server 2008 and IIS 7.0
provide many features for creating reliable Web server farms and managing Web
sites across a dispersed server deployment. One of the main new features for
managing IIS 7.0 server farms is shared configurations, which allow for IIS 7.0
configurations to be centrally deployed and managed.

Lesson 1
Backing Up and Restoring Web Sites
The backup and restore process is a critical process for maintaining a reliable IT
infrastructure. This lesson provides an overview of the backup and restore process
and details specific considerations for Windows Server 2008 II 7.0 systems.

Understanding IIS 7.0 Web Site Backup
Key Points
• IIS 7.0 uses XML config files within the Web sites to manage Web site
configurations and settings. .
• The critical files for Web site backups include all the applications, data files,
and XML config files that reside in the Web site folders.
Question: What backup software, processes, and media might be best used for
backing up IIS 7.0 Web sites and servers?

Configuring Backup for a Web Site and Web Server
Key Points
Windows Server 2008 IIS 7.0 provides an easy method to relocate Web server files
onto UNC shares. However, even with the critical Web site files located in a secure
storage device, it is still necessary to perform regular backups of Web servers
because critical files are still stored on the server.
Question: Web server log files can grow to be very large. What techniques to you
use in your organization to manage Web server log files?

Performing Web Site Restore
Key Points
• A Web server can be easily rebuilt by reinstalling the system and restoring the
Web site application, data, and XML config files.
• Alternately, if the all the Web site data resides locally on the Web server, a
complete restore will be able to return the server to previous functionality.

Performing Web Server Backup Validation
Key Points
• It is critical to insure that Web server backups are complete and accurate and
meet the necessary long term data storage requirements.
• It is important to integrate a server backup validation strategy into your
backup plan.
• There are many techniques that may be performed to test and ensure that the
backups have been completed successfully.
Question: What strategies have you used in the past to insure the validity of
system backups?

Lesson 2
Introducing Shared Configurations
Shared configurations provide an effective way of managing multiple IIS 7.0 Web
servers, to maintain consistent configurations across the server farm. This lesson
provides an introduction to shared configurations, describing the use and benefits.

Reviewing Centralized Shared Configurations
Key Points
• Centralized shared configurations helps supports homogeneous Web farms
where machines share the same configuration across a server group.
• After exporting the configuration from the main server, additional servers in
the Web server farm can be set to use the configuration set on the central file
server.
• By having the servers all using the same files on the same share, IIS 7.0
eliminates the need for replication or synchronization.

Reviewing Advantages of IIS on DFS-enabled Share
Key Points
• Using IIS 7.0 on DFS provides a number of advantages, including easier
management, better performance, and high availability. .
• DFS allows you to use centralized network resources in a unified namespace,
so that it appears to users that files reside in one place on the network. .
Question: What Web sites do you think employ technologies like DFS? What
kinds of advantages do these technologies offer?

Pros and Cons of Offline Configuration Files vs. DFS
Key Points
• Shared offline configuration files offer some benefits over using a complex DF
infrastructure. Shared offline configuration files provide a faster solution that is
quicker and easier to set up.
• While more complex and difficult to deploy, DFS offers many advantages.

Reviewing an IIS Web Site on a DFS-enabled Share
Key Points
• DFS can be used to make files that are distributed across multiple servers. and
allows the network resources to be centralized in a single unified namespace.
• When you use DFS as the filing system for IIS, you can use relative links in
your Web site. These links can point to any network resource even if the
resource does not reside on that same physical server.

Deploying Configuration Files on DFS-enabled Share
Key Points
• Use the DFS Administrator tool to build a single hierarchical view of multiple
file servers and file server shares that are physically distributed across a
network. Then build a logical DFS folder of the main Internet Web site.
• First, make sure the File Server Role Services for Distributed File System
has been installed.
• Start the Distributed File System admin tool.
• Create a New DFS Root.
• Select the name of the domain where you want to create the DFS root
• Type the path and the name of the root for the Web site.

Reviewing the Benefits of using Shared Configurations
Key Points
• Using IIS 7.0 shared configurations offers many advantages for Web site and
server management.
• Manage Portability: Using shared configurations makes it very easy to
relocate a Web site.
• Deploy Replication: Configuration can be pushed out onto multiple
servers, with the same settings, sites, and application pools, to work across
large Web farms.
• Maintain Synchronization: With shared configuration, all the servers will
be updated simultaneously.
• Re-deploy Staged Deployments and Rollback: It is easy to create versions
of configuration and test changes on identically configured servers.
Question: Shared configures offers many benefits to organizations, which do you

think might be most useful to you and/or your organization?

Lesson 3
Working with Shared Configurations
It is very easy to configure and deploy shared configurations with IIS 7.0. You can
use the IIS Manager or the command line to enable shared configurations. This
lesson describes the steps to enable shared configurations. It also offers various
tips, tricks, and best practices for using shared configurations.

Enabling Shared Configuration with the IIS Manager
Key Points
Before you can enable shared configurations, make sure you have your UNC share
configured and enabled. Shared configurations in IIS 7.0 is very robust and
supports a very large number of servers.

Enabling Shared Configuration from the Command Line
Key Points
While not as easy to use, the command line, along with the AppCmd, can be used
to manage and deploy shared configurations.

Exporting and Enabling 2-Node Shared Configuration
Key Points
Here we have the site owner able to deploy their IIS configuration, their ASP.NET
configuration and code, and their content, straight to the server.

Reviewing the Impact if Shared Configuration is Offline
Key Points
An important consideration is what would happen if the server hosting the config
file goes down, while the Web server stay up. The IIS 7.0 shared configuration
system is designed so that the Web site and server's configurations will remain
cached in the Web server, keeping the Web sites functioning until the problem
with the configuration file server is resolved.

Reviewing IIS Shared Configurations Best Practices
Key Points
• It is important to research and maintain best practices if you are deploying
shared configurations. Best practices are always being updated and refined, so
it important to keep up with the latest recommendations.
• A key point in maintaining a healthy shared configuration infrastructure is to
make sure all servers in the server farm have identical configurations and the
same components.

Reviewing IIS Shared Configurations Tips and Tricks
Key Points
• If you want to use Xcopy to deploy your server configuration instead of using
the IIS Manager, it’s important to note a few things.
• The machine keys are used to encrypt properties like passwords for
application pool identities or anonymous users.
• If you installed any custom modules or certificates, they should exist on all
the machines before your share configuration.
• You need to install any components on all servers in the farm before sharing
their configs. If you install a filter or an IIS component, such as Basic
authentication, you must remove the server from shared configuration and
install it locally. Then ensure it exists on all machines before restoring sharing
configurations.

Reviewing Web Farm Session State Requirements
Key Points
• Session states lets you associate a server-side string or object dictionary
with a particular HTTP client session.
• The session data is stored on the server side in one of the supported
session state stores.
• Using session state in an ASP.NET application can add noticeable
overhead to the application performance.
• By taking advantage of optimizations using best practices, the impact of
session state management may be reduced.
• Not all pages will need access to session state.

Lesson 4
Configuring Network Load Balancing for IIS
Network load balancing is an excellent way of configuring large server farms to

provide a high-availability solution for mission-critical Web sites. In this lesson we
will review how network load balancing works, how to configure network load
balancing, and then review the best practices.

Reviewing Network Load Balancing
Key Points
• Network Load Balancing is a system where multiple servers share a single IP
address and where clients access services through the shared IP address.
• Load balancing can be hardware- or software-based. Windows Server 2008
includes software-based load balancing. If you use hardware-based load
balancing, you must consider the scalability and fault tolerance of the Network
Load Balancing hardware.
Question: Does your organization currently have network load balancing

deployed? Which type do you think would be best for your organization,
hardware-based or software-based?

Configuring Network Load Balancing in IIS 7.0
Key Points
• Network Load Balancing can be used in different areas of a Web enterprise,
including, setting up a high-availability firewall cluster, a large farm of Web
servers, and a robust array of data storage servers.
• Network Load is particularly useful for ensuring that Web pages from a server
running IIS 7.0 are highly available and can be scaled out by adding additional
servers as the load increases. The ease with which Network Load Balancing
allows you to replace a malfunctioning server or add a new server to provide
scalability.
Question: Deploying Network Load Balancing in the different areas of a Web

enterprise provide different types of benefits. Describe the different types of
benefits offered by deploying firewall, Web server, and data store clusters.

Configuring NLB Using Shared Configurations
Key Points
IIS 7.0 Shared Configurations allows for easier deployment and management of
Network Load Balanced server farms.

Verifying Network Load Balancing Functionality
Key Points
It is important to test and continuously monitor Network Load Balancing
functionality. There are many tools available to help automate the task of
monitoring your servers and clusters.

Reviewing NLB IIS Server Farms Best Practices
Key Points
• There are many sources for recommendations for the best ways to configure
and manage Network Load Balancing systems. A few are mentioned here, but
it is important to perform thorough research before deploying this type of
complex system.
• There are many sources for recommendations for the best ways to configure
and manage Network Load Balancing systems. A few are mentioned here, but
it is important to perform thorough research before deploying this type of
complex system.

Lab 1: Ensuring Web Site Availability with Web

Farms
Exercise 1: Backing Up an IIS Web Site

Scenario
The Enterprise Design Team has asked you to explore options for increasing Web
site availability. Before you begin, you will back up an existing site and verify that it
can be restored properly.
Provide the main tasks for the exercise here.
1. Start the 6427K-NYC-WEB virtual machine and log on as Administrator
2. Backup the Web site, Web application, and config files to the E: drive

f Task 1: Start the 6427K-NYC-WEB virtual machine and log on as

Administrator.
f Task 2: Backup the Web site, Web application, and config files to the
E: drive.
Results: After this exercise, you should have successfully backed up a Web site. Provide
the results of the exercise so students will know when and if they have completed the
lab exercise successfully.
Exercise 2: Restoring an IIS Web Site

Scenario
The Enterprise Design Team has asked you to verify that the backups can be
restored properly. Do this by restoring the Web files to a second server and
confirm that the second server functions properly.
1. Start the 6427K-NYC-WEB-02 virtual machine and log on as Administrator
2. Restore the Web site, Web application, and config files from the shared drive
f Task 1: Start the 6427K-NYC-WEB-02 virtual machine and log on as

Administrator
f Task 2: Restore the Web site, Web application, and config files from
the shared drive.
Results: After this exercise, you should have successfully restored a Web site to a
second server. Provide the results of the exercise so students will know when and if
they have completed the lab exercise successfully.

Exercise 3: Enabling Shared Configurations

Scenario
The next step is for increasing Web site availability. Now that you have two
identically configured Web servers, implement shared configurations for them.
1. Export and Enable Shared Configuration
2. Add the second Web server to use the Shared Configuration
3. Test the Shared Configuration
f Task 1: Export and Enable Shared Configuration
f Task 2: Add the second Web server to use the Shared Configuration.
f Task 3: Test the Shared Configuration.
Results: After this exercise, you should have successfully configured a two-server
network with an underlying foundation of shared configurations. Provide the results of
the exercise so students will know when and if they have completed the lab exercise
successfully.

Exercise 4: Configuring Network Load Balancing

Scenario
With the two Web servers set up with Shared Configurations, configure Network
Load Balancing to increase Web site availability.
1. Create a new Network Load Balancing cluster
2. Add the second host to the Network Load Balancing cluster
3. Add the second server to the Network Load Balancing cluster
4. Verify Network Load Balancing using NLB commands
f Task 1: Create a new Network Load Balancing cluster
f Task 2: Add the second host to the Network Load Balancing cluster
f Task 3: Add the second server to the Network Load Balancing cluster
f Task 4: Verify Network Load Balancing using NLB commands
Results: After this exercise, you should have successfully restored a Web site to a
second server. Provide the results of the exercise so students will know when and if
they have completed the lab exercise successfully.

Review Questions
1. Question: Explain some of the actions that may be taken to validate that a Web
server backup was completed successfully?
Answer: Examine backup logs, Check for error messages, Perform occasional
test recoveries, Check the integrity of the data.
2. Question: Explain some of the advantages of using IIS on a DFS-enabled share.

Answer: DFS allows you to centralize the network resources in a unified
namespace. The logical namespace remains constant even if you move
network resources to either a different server or a shared folder. DFS can be
used with IIS to make Web site management easier. It can offer better
performance and high availability.

3. Question: Explain the benefits of using shared configurations in a IIS 7.0 Web
server enterprise.
Answer: Manage Portability: The IIS site configuration is stored in the
Web.config file, along with the code and content, making it very easy to move
a Web site. A developer or server administrator can control configuration and
to deploy from a test or dev machine straight to the server. Another aspect of
portability is that environment variables, such as %windir%, can be used in the
configuration file.
Deploy Replication: Configuration can be pushed out onto multiple servers,
with the same settings, the same sites, and the same application pools, to work
across a Web farm. Maintain Synchronization: It is important to synchronize
changes across a Web server farm. With shared configuration, all the servers
will be updated simultaneously.
Re-deploy Staged Deployments and Rollback: We need to be able to
implement new features across a Web server farm. It is now easy to create
versions of configuration and test changes on identically configured servers.
4. Question: Explain what happens if the file server with the configuration files
goes down, but the Web servers remain functional.
Answer: The configurations will be cached in memory. Files are copied locally
and then used until file server hosting the config files is back online. If the
Web server or service is restarted, it will report an invalid config.
5. Question: Explain some of the advantages of using Network Load Balancing

clusters.
Answer: It can provide scalability load balancing, and fault tolerance.

Common Issues in Configuring Shared Configuration and Network

Load Balancing
Shared configuration export fails Make sure the UNC share is configured
properly
Shared configuration fails Make sure you are using the correct password
NLB fails Make sure servers have correct IP

configuration and are on the same subnet.

1. Margie's Travel is experiencing expanded growth in use of their Web site. In
order to meet that demand they decide to add additional Web servers in a
Network Load Balancing configuration. How would you recommend to do
this?
2. Adventure Works wants to expand their server reliability so they decided to
deploy shared configurations for their Web servers. What would be the best
way of deploying this?

Best Practices for Shared Configurations and Network Load Balancing

• Before you enable shared configuration
• Make sure that all the servers have the same components.
• Verify each machine using Role Manager or registry query.
• Before you install a new component in a shared configuration network
• If it writes to the applicationHost.config, you can’t install it with shared
config enabled.
• Take servers offline and update separately.
• Configure servers as needed before enabling shared config.
• Secure the Network Load Balancing systems
• The NLB subnet must be physically protected from intrusion to avoid
interference from unauthorized heartbeat packets.
• Administration tools that administer NLB clusters can be run from remote
workstations. Ensure that the applications are run from trusted
computers.
• Consistently install the same set of modules
Tools

IIS Manager • Managing IIS Server Administrative Tools
NLB Manager • Managing NLB Administrative Tools

Troubleshooting IIS 7.0 Web Servers 10-1
Module 10
Troubleshooting IIS 7.0 Web Servers
Contents:
Lesson 1: Using IIS 7.0 Logging for Troubleshooting 10-3
Lesson 2: Troubleshooting Authentication and Authorization 10-10
Lesson 3: Troubleshooting Communication 10-17
Lesson 4: Troubleshooting Configuration 10-22
Lab: Troubleshooting IIS 7.0 Web Servers 10-26

Module Overview
Logging and tracing are essential to troubleshooting many types of Web server
issues. In addition, the new tracing infrastructure allows detailed error messages to
help administrators solve problems quickly. In this module, you learn about the
supportability enhancements to IIS 7.0 and you will use them to troubleshoot a
variety of problems.

Lesson 1:
Using IIS 7.0 Logging for Troubleshooting
Before trying to troubleshoot an issue, it is important to understand logging and

the new tracing infrastructure in IIS 7.0. In this module, you will learn about
logging, tracing, and the new Failed Request Tracing feature. You will also learn
about some best practices for configuring logging.

Why Audit IIS Logs?
Key Points
In addition to the Windows Server 2008 system and security logs, you should
configure IIS to log site visits. When users access your server that is running IIS
7.0, IIS logs the information. The logs provide valuable information that you can
use to identify any errors that occur on your Web server.
Question: What is logged on a successful visit?

How the Tracing Infrastructure Works
Key Points
In IIS 6.0, all of the tracing data was hard-coded into ETW (Event Tracing for
Windows), requiring the use of ETW to gather trace logs. With IIS 7.0, this has
changed. All tracing is now emitted through a single tracing infrastructure. A
custom module can also register for tracing notifications.
All tracing is done through the unified pipeline and consumed by two modules
that ship with IIS, the ETW trace module and the IIS Failed Request Tracing
module. Developers can easily create their own trace events. The modular
infrastructure also allows Microsoft to ship updated tracing modules without
requiring an operating system upgrade or service pack installation.
Question: How are you using tracing in your environment today?

When to Monitor for Critical Errors
Key Points
Request-based tracing provides a great way to figure out what exactly is happening
to requests, provided the problem can be reproduced. Problems like poor
performance on some requests, authentication related failures, or Server 500 errors
from ASP or ASP.NET can be very difficult to troubleshoot unless you have
captured the trace of the problem when it occurs. Failed Request Tracing is
designed to buffer the trace events for a request and only save them to disk if the
request meets the criteria defined by the administrator.
Question: What are the scenarios in your organization that you might use Failed
Event Tracing for an application?

Creating a Failed Request Tracing Rule to Monitor Critical

Errors
Key Points
With tracing for failed requests, you can capture an XML formatted log of a
problem when it occurs, so that you do not have to reproduce the problem before
you start troubleshooting. Additionally, you can define failure conditions for
applications and configure which trace events to log on a per-URL basis.
Tracing for failed requests is configured at two levels:
• At the site level, you enable or disable tracing and configure log file settings.
• At the application level, you specify the failure conditions for capturing the
trace events and also configure which trace events should be captured in the
log file entries.
Question: How would you configure Failed Event Tracing differently for the life
cycle of an application (test, initial deployment, etc.)?

Configuring Selective Logging for an Application
Key Points
Enable logging for a site when you want IIS to selectively log only certain requests
to a site based on configured criteria. As soon as site logging is enabled, you can
enable selective logging for any applications on the site. You can also then view the
log file to see both which requests are failing and which requests are succeeding.
Question: What business requirements for reporting does your organization have
that might impact logging for specific applications?

Best Practices for Logging
Key Points
Logging can impact performance and resources on the Web server. Use Best
Practices to minimize the impact while maintaining useful logs.
Question: What best practices are in place for logging in your environment?

Lesson 2:
Troubleshooting Authentication and
Authorization
For a connection attempt to be accepted, the connection attempt must be both

authenticated and authorized. It is possible for the connection attempt to be
authenticated by using valid credentials, but not authorized. In this case, the
connection attempt is denied. In this lesson, you will learn about common
authentication and authorization error messages and how to troubleshoot them
using logging and tracing.

What are Common Error Messages?
Key Points
HTTP 401 errors are among the most common errors you may have to deal with in
IIS. While the causes for these errors can vary greatly, the causes fall into a finite
number of categories. Correctly identifying the category of the cause for your HTTP
401 error can decrease the amount of time needed to identify the root cause of the
error.
Question: What are the different ways in which a 401 error may appear to an end-
user? How does it vary depending on IIS setting, browser, and browser settings?

Reviewing Common Causes of Errors
Key Points
When you troubleshoot HTTP 401 errors, the first step should always be to
determine the substatus code.
Code Definition
401.1 Authentication was attempted, but failed.
401.2 Authentication was not attempted because the server and client could
not agree on an authentication protocol.
401.3 Authentication was successful, but the account that authenticated does
not have sufficient permissions to access the requested resource or
content.
401.4 An ISAPI filter denied the request
401.5 An ISAPI extension or CGI application denied the request.

Question: What is an ACL?

Enabling Trace Logging
Key Points
Enable trace logging for failed requests when you want IIS to log information about
a request that is failing to serve content from a site or an application. When trace
logging for failed requests is enabled, IIS provides targeted logging so that you no
longer have to look through a list of irrelevant log entries to find a failed request.
Additionally, you do not have to re-create an error in order to troubleshoot it.
The trace will contain the identity, the authentication method, and the resources
being accessed.
Question: How can a trace log help you separate authentication and authorization
failures?

Auditing IIS Logs for Authentication and Authorization

Issues
Key Points
Use logs to find the point of failure in the authentication and authorization
process. The distinction between authentication and authorization is important in
understanding why connection attempts are either accepted or denied:
• Authentication is the verification of the credentials of the connection attempt.
This process consists of sending the credentials from the remote access client
to the remote access server in an either plaintext or encrypted form by using
an authentication protocol.
• Authorization is the verification that the connection attempt is allowed.
Authorization occurs after successful authentication.
Question: Why might you see multiple authentication entries in a log?

Demonstration: Examining the Output of Trace Logging
Question: What business process could you put into place to decide what errors to
trace?

Lesson 3:
Troubleshooting Communication
When communication between the client and server fails, or is intermittent, it can
be difficult to detect on the server. In addition, communication issues between
servers can cause Web sites and applications to fail. In this lesson, you will learn
about common communication errors, and how to use logs and tools to
troubleshoot them.

What are Common Communication Error Messages?
Key Points
When troubleshooting communication issues, you need to determine if the client
can communicate with the Web server at all. If the server is responding to the
client with a substatus code, then you can troubleshoot the communication from
the server side.
Question: When would a communication issue look like an authentication error?

Auditing IIS Logs for Communication Issues
Key Points
Client errors
Status codes between 400 and 500 specify an error made by the client, e.g. bad
syntax or a request to a resource that doesn't exist. You can try this by requesting a
bogus URL from the Web-site of your choice, for example:
http://<IIS7Server>/this_resource_does_not_exist. You get a "404 - File not found"
error.
Server errors
Status codes starting with 500 are errors caused by the server. The most common
causes for 500 errors on IIS systems are
• An ASP or ASPX page that contains a syntax error
• The Web server configuration or the application configuration cannot be read
or is invalid
• The site is stopped

Question: When would a log not be helpful in troubleshooting a communication

error?

Verifying Communication
Key Points
Ping your server
If your Web browser returned either the Cannot find server error or The page
cannot be displayed error, then use the ping command to test for the following:
• The name resolution server resolves your IIS Web server's name to its IP
address
• Your server responds to network requests from a remote computer
To ping your server by IP address

• From a remote computer, in the command prompt, type ping IPaddress
Question: Think of an application running on a server in your current

environment. How many other servers (domain controllers, file share, database)
are involved in a client request?

Lesson 4:
Troubleshooting Configuration
Configuration issues can be difficult to diagnose because they can look like other
types of errors. In this lesson, you will learn about common configuration errors,
and how to use IIS logs, tracing and detailed errors to troubleshoot them.

What are Common Configuration Error Messages?
Key Points
Server software and Web servers are very complex and highly configurable systems
that support multi-tier applications using a variety of technologies and subsystems.
IIS7 strives to improve the experience of diagnosing and solving problems when
they do occur. Since configuration problems can appear as other types of errors,
knowing how to use the new IIS7 diagnostics features is essential to
troubleshooting server problems.
Question: Why not enable detailed error messages for all users?

Reviewing Common Causes of Configuration Errors
Key Points
Typically, 403 errors occur when an operation or request is disallowed because a
requirement other than proper authentication credentials is not met.
503 errors are generated by the WAS (formerly W3SVC) service, which is
responsible for creating IIS worker processes to handle incoming http requests.
When WAS fails to create a worker process, it will generate this error.
500 errors indicate an error condition on the server when trying to process the
request. Use Failed Request Tracing and detailed error messages to find out the
cause.
Question: Why not enable detailed error messages for all users?

Auditing IIS Logs for Configuration Issues
Key Points
Because of the complexity of configuration errors, making use of all available tools,
such as logs, Failed Request Tracing, and detailed error messages will greatly speed
the troubleshooting process.
Use the tracing logs to pin point the point of failure and detailed error messages
for most likely causes and resolutions.
Question: How do you troubleshoot configuration issues in your organization?

Lab: Troubleshooting IIS 7.0 Web Servers

Review Questions
1. What is the difference between custom errors and detailed errors?
2. Why are configuration issues difficult to diagnose?


Moc 6427a Configuring and Troubleshooting Iis v7.0 in Windows Server 2008-Student Manual

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Moc 6427a Configuring and Troubleshooting Iis v7.0 in Windows Server 2008-Student Manual

Hochgeladen von

Copyright:

Verfügbare Formate

OFFICIAL MICROSOFT LEARNING PRODUCT

Be sure to access the extended learning content on your

BETA COURSEWARE. EXPIRES 5/15/2008

Technical Reviewer: FirstName LastName

Product Number: 6427A

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

Module 2: Configuring IIS 7.0 Web Sites and Application Pools

Module 3: Configuring IIS 7.0 Application Settings

Module 4: Configuring IIS 7.0 Modules

BETA COURSEWARE. EXPIRES 5/15/2008

Module 6: Configuring Delegation and Remote Administration

Module 7: Using Command-line and Scripting for IIS 7.0 Administration

Module 8: Tuning IIS 7.0 for Improved Performance

Module 9: Ensuring Web Site Availability with Web Farms

BETA COURSEWARE. EXPIRES 5/15/2008

Module 10: Troubleshooting IIS 7.0 Web Servers

BETA COURSEWARE. EXPIRES 5/15/2008

About This Course

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

To provide additional comments or feedback on the course, send e-mail to

BETA COURSEWARE. EXPIRES 5/15/2008

Virtual Machine Environment

Virtual Machine Configuration

Virtual machine Role

NYC-SVR1 Member server used to install IIS

NYC-SVR2 Member server used to install IIS

NYC-SVR3 Member server used to install IIS

NYC-WEB2 A secondary Web server

NYC-WEB-A A primary Web server

NYC-WEB-B A primary Web server

NYC-WEB-C A primary Web server

NYC-WEB-D A primary Web server

BETA COURSEWARE. EXPIRES 5/15/2008

Course Hardware Level

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

Before implementing Internet Information Services, it is important to understand

BETA COURSEWARE. EXPIRES 5/15/2008

Introducing IIS 7.0 Architecture

The key advantages of the unified pipeline are:

BETA COURSEWARE. EXPIRES 5/15/2008

BETA COURSEWARE. EXPIRES 5/15/2008

What are Typical Workloads?

BETA COURSEWARE. EXPIRES 5/15/2008

Deploying IIS requires an understanding of the various installation methods

BETA COURSEWARE. EXPIRES 5/15/2008

Choosing an Installation Method

BETA COURSEWARE. EXPIRES 5/15/2008

Installing IIS from the Role Manager

BETA COURSEWARE. EXPIRES 5/15/2008

Installing IIS from the Command Line using Pkgmgr

BETA COURSEWARE. EXPIRES 5/15/2008

Installing IIS using Unattended Setup

BETA COURSEWARE. EXPIRES 5/15/2008

Selecting the Appropriate Workload