Beruflich Dokumente
Kultur Dokumente
IIS Fundamentals
3
nternet Information Services (IIS) is Microsofts suite of applications for the Internet. With support for the web, File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), and Simple Mail Transfer Protocol (SMTP) for e-mail, IIS is much more than just a web server. Because it is fully integrated at the operating system level, it integrates well with Microsoft .NET applications, and it allows organizations to add Internet capabilities that weave directly into the rest of their infrastructure. As the Internet becomes more prevalent in our daily lives, the infrastructure behind it becomes more complicated, and the knowledge of how to support that infrastructure becomes more valuable. This chapter will introduce you to Windows Server 2003 (WS03) and the features of IIS 6. It also covers the metabase (which holds all the configuration information for IIS) and the architecture of IIS 6. Lets get started.
Standard
4G 2
Enterprise
32G* 8
Datacenter
64G* 32
Chapter 1:
IIS Fundamentals
A Little History
Before we get started installing IIS, lets take a trip down memory lane and cover the history of IIS.
IIS 1 was available as an add-on to Windows NT 3.51. It didnt have many features, but it included the standard web, FTP, and gopher services. IIS 2 was included with Windows NT 4. It wasnt tremendously different from IIS 1. IIS was upgraded to version 3 when Service Pack 3 for Windows NT 4 was installed. It included new features, such as Active Server Pages (ASP). IIS 4 was available with the Windows NT 4 Option Pack. It was a major overhaul of IIS, removed the Gopher service, and greatly enhanced the feature set of IIS. IIS 5 was included with Windows 2000 Server. It was not a major upgrade from IIS 4. IIS 6 represents a fundamental shift in the web services product offering from Microsoft. While the FTP, SMTP, and Network News Transfer Protocol (NNTP) services are not extremely different, the web server component of IIS 6 has a new focus on security and fundamental changes in the way it behaves at its core.
Version 5 Version 6
Installing IIS
In Windows 2000 Server, IIS was part of a default installation. However, in WS03, you must install IIS manually. With Microsofts new mindset of off by default, IIS is no longer part of a default installation. Heres how to install IIS: 1. In the Control Panel, click Add Or Remove Programs to open the Add Or Remove Programs dialog box. 2. Click the Add/Remove Windows Components icon on the left. The Windows Components Wizard will pop up. 3. Click Application Server, and then click the Details button. 4. The IIS components are located in the Internet Information Services area. If you click the IIS checkbox, only the default components will be installed. To install optional components (subcomponents), you must select them manually.
Figure 1-1.
Subcomponents of IIS
Chapter 1:
IIS Fundamentals
Common Files
You must install this component or IIS wont work.
Internet Printing
This component installs the options that allow you to configure and share printers over HTTP. This option is the same as the Windows 2000 Server web printing options. In WS03, it is now an optional service.
NNTP Service
This component installs the News Server, which allows the creation of newsgroups.
SMTP Service
This installs the SMTP Service, which allows the IIS server to send e-mail. Its useful for those web sites that let visitors send e-mail.
Active Server Pages The Active Server Pages subcomponent installs the ASP DLL and other files that support ASP for your web server. This option is always installed, although it is disabled by default. Internet Data Connector Internet Data Connector (IDC) allows for database connectivity in your web site. This option is always installed. Remote Administration (HTML) Installing this option enables you to administer IIS remotely through a web browser. This is different from the previous HTML administration options for IIS, with which you could administer only the same server. Remote Desktop Web Connection This installs the ActiveX control that allows Internet Explorer web browsers to connect to a terminal server session using the pages provided. This was available in Windows 2000 as the Terminal Services Advanced Client. Server Side Includes
installed. This provides support for server-side includes and is always
WebDAV Publishing WebDAV stands for Web-based Distributed Authoring and Versioning. It is a set of extensions to HTTP that allows users to access and manage files on WebDAV published directories on your web server. It is always installed. World Wide Web Service This component installs the core WWW service application. Without this, many IIS components wont function.
IIS Services
Several services run to support IIS; each is listed in the services control panel for WS03. The services that appear depend on which components of IIS are installed. If a component isnt installed, the associated service will not appear in the services control panel.
IIS Admin Service This is the main administration service for IIS. All the other services depend on this service, so if this service is stopped, all other IIS services will stop as well. FTP Publishing
This is the service behind the FTP server component of IIS.
Chapter 1:
IIS Fundamentals
This is the service behind the web server component This is the service behind the SMTP server This is the service behind the NNTP
HTTP SSL
This is the service that enables the WWW Publishing service to perform SSL (Secure Socket Layer) certificate functions. The WWW Publishing service depends on this service. Service dependencies allow services to be linked so that a service that needs another service wont be started without its partner. Dependencies can be viewed in the Dependencies tab of the Properties window for a service.
Directory
ASP Compiled Templates History iisadmpwd MetaBack
Explanation
If you use an ASP template for your site, it is stored here. The history folder for the metabase changes, which allows you to roll back the metabase. Contains ASP pages dealing with IIS Admin authentication. The default directory for metabase backups.
For more information on the metabase, see the section The Metabase later in this chapter.
10
Directory
AdminScripts ftproot mailroot nntpfile wwwroot
Description
Contains some Visual Basic scripts for use in administering your IIS server The top level directory for the FTP service The top level directory for the SMTP service The top level directory for the NNTP service The top level directory for the default web site
IUSR_COMPUTERNAME
This user account grants anonymous access to a web site when a user connects to a web page without any security information of his or her own. This user is not a member of any group other than Guests, by default.
IWAM_COMPUTERNAME
This user account is used to launch worker processes. It is a member of the IIS_WPG group.
IIS_WPG
The members of this group can run worker processes. Any user account that runs worker processes needs to be a member of this group. This is a low security account
Chapter 1:
IIS Fundamentals
11
that has the rights of Network Service. Processes using the Network Service level of rights can access the server as though they were running from outside the server, so they dont have direct access to the operating system. You can view these in the Computer Management MMC, in the Administrative Tools group. Heres how to open Users and Groups: 1. At the Start menu, click Administrative Tools and then Computer Management. 2. In the Computer Management MMC, users and groups are listed separately under Local Users and Groups. 3. However, if this computer is a domain controller, users and groups are located in the Active Directory Users And Computers under Administrative Tools.
Navigating IIS
IIS is managed through an MMC snap-in. The MMC is a framework that allows for a common look and feel across applications. IIS 6 is managed by, simply enough, the IIS snap-in. The IIS MMC is located under Administrative Tools in the Start menu.
Figure 1-2.
12
Local Computer Properties The properties for the local computer allow you to change the options that globally affect all components of IIS. To access the local computer properties, right-click computername (Local Computer) in the IIS MMC, and then choose Properties. Youll see the Properties window shown in Figure 1-3. Changing something here requires that IIS be restarted after you make the change. Two options affect IIS as a whole: Enable Direct Metabase Edit and Encode Web Logs In UTF-8.
Figure 1-3.
Chapter 1:
IIS Fundamentals
13
The Enable Direct Metabase Edit option allows you to edit the metabase while IIS is running. In previous IIS versions, the metabase was a binary file that could be accessed only with a resource kit utility. Now, as an XML (eXtensible Markup Language) file, you can edit the metabase with Notepad. You can cut and paste the configuration, save, and it will take effect immediately. This does require the metabase history to be enabled, but since thats the default, it shouldnt be a problem. The Encode Web Logs In UTF-8 option sets the web and/or FTP logs to log in the UTF-8 standard rather than in the local character set. UTF-8 is a standard for encoding text with 8-bit encoding of Unicode characters. One to six octets are used to represent each character. UTF-8 uses a universal character set and preserves the ASCII text for backward compatibility.
The Metabase
The metabase is roughly equivalent to the registry for IIS: it holds all the configuration information for IIS. In previous versions, the metabase was a binary file that could be edited only by the metabase editor, part of the resource kit. In IIS 6, the metabase is a good old XML text file (as shown in Figure 1-4) that can be edited with Notepad. Even though the metabase in IIS 6 is completely different, it is still completely compatible with the IIS 5 metabase, so all the same APIs and scripts still work.
Figure 1-4.
14
The metabase is stored in %systemroot%\system32\inetsrv and is called, appropriately enough, MetaBase.xml. The schema for the metabase is called MBSchema.xml. Because the metabase is a text file, it can easily be edited with any text editor, and it is less likely to be corrupted. Even if the metabase does experience corruption, it can easily be fixed or recovered.
Metabase History
The metabase is backed up and versioned periodically by IIS. Two version numbers are used for the metabase: a major version number and a minor version number. The name of the backup files are MetaBase_[10 digit major version number]_[10 digit minor version number].xml and MBSchema_[10 digit major version number]_[10 digit minor version number].xml (for example, MBSchema_0000000160_0000000000.xml). By default, ten copies of the metabase files are stored. This allows the metabase to be rolled back to any of these previous versions. The number of metabase versions kept is configurable by editing the MaxHistoryFiles property in the metabase. As a general rule, you shouldnt configure less that ten copies of the metabase history to be kept. Each time the metabase is saved, a backup copy of the metabase and corresponding schema are made in the history folder. IIS checks to see how many history file pairs are present, and if more files are present than the value of MaxHistoryFiles, IIS deletes the oldest pair.
Chapter 1:
IIS Fundamentals
15
The metabase can be fully backed up and restored using the Backup/Restore Configuration option in the IIS MMC. To access it, highlight the computer in IIS, and choose Action | All Tasks | Backup/Restore Configuration. From the Configuration Backup/Restore dialog box shown in Figure 1-5, you can choose to back up, restore, or delete a metabase backup. All the metabase backups appear here.
Figure 1-5.
Backup/restore configuration
16
Metabase Snapshots
Another way to back up the metabase is to use Windows Backup Utility. The Backup Utility uses the Metabase Snapshot Writer automatically to make sure the MetaBase.xml and MBSchema.xml files are successfully backed up.When the Backup Utility detects that the drive to be backed up contains the metabase, it writes the in-memory metabase to the files and prevents anything from being added to the in-memory metabase for up to two minutes. The Metabase Snapshot Writer is not used during Backup Utility restores. If you are going to restore the metabase files, make sure that you stop the IIS services first, so you dont risk data loss.
Chapter 1:
IIS Fundamentals
17
IIS 6 Architecture
If youve worked with previous versions of IIS, youll notice some significant improvements with IIS 6. Version 6 is designed to be much more stable and secure than previous versions. As youre going through this information, keep in mind that this is referring to the web server component of IIS. In IIS 6, FTP, SMTP, and NNTP still run in the inetinfo.exe process. Previously in IIS (see Figure 1-6), everything ran in the inetinfo.exe process or out of process in dllhost.exe. An errant web site running in inetinfo.exe could take down the entire web service, causing an outage. IIS 6 separates web-server code from applicationhandling code with a kernel-mode HTTP listener, http.sys, and the Web Administration
Figure 1-6.
18
Service (WAS), which is a user-mode configuration and process manager (see Figure 1-7). These programs dont run any third-party code, so they cant be affected by an errant web site. The code is run in a worker process. These worker processes are run by the application w3wp.exe. Each copy of w3wp.exe is another worker process. These worker processes are separate from each other and from the kernel so that they can be isolated from the operating system. In process refers to code that runs in the same process as the parent. Out of process refers to code that is run in a separate process.
Figure 1-7.
Chapter 1:
IIS Fundamentals
19
Most web sites will work just fine under IIS 6, but a few events would force you to use isolation mode and abandon worker process recycling: Multi-instance ISAPIs that are written to be used multiple times simultaneously by different processes Read raw-data filters that would try to grab all the data before it hits a web site In-process session state variables, because they are lost every time a worker process is recycled Applications that farm out work to their own worker processes
Enabling isolation mode must be done at the root level for the Web Sites folder in the IIS MMC. This is done for all web sites on this server as a wholeyou cannot enable it on a per-web-site basis. Heres how its done: 1. Open the IIS MMC. 2. Right-click the Web Sites folder and choose Properties. 3. Click the Service tab. Note that this tab is available only at this level. 4. Place a check mark in the box to Run WWW Service In IIS 5.0 Isolation Mode. 5. Click OK to return to the IIS MMC.
Application Pools
IIS introduces a whole new way of handling applications. Application pools allow code to be run in an isolated environment. Each application pool is serviced by one or more worker process. When IIS starts, the Web Administration Service initializes the http.sys namespace routing table with one entry for each application. This routing table determines to which application pool an application should be routed. When http.sys receives a request, it asks WAS to start up one or more worker processes to handle that application pool. This isolation of processes makes the web server as a whole more stable.
Health Monitoring
The WAS is able to keep IIS healthy by keeping track of the worker processes and monitoring their health. It can control these processes to keep them from causing IIS to stop responding. WAS keeps track of worker processes by pinging them at periodic intervals. If a worker process fails to respond to a ping, WAS terminates the process and starts a new one. This enables the system to keep responding to requests, even when a worker process gets hung up. If a process crashes and the worker process hangs, http.sys will queue up the requests until WAS starts a new worker process to handle that application pool. The end user will experience a temporary loss of service with applications in that application pool, while the core web services and any other applications will continue to function.
20
Scalability
Worker process isolation mode also allows for better scaling of the web server. Thousands of sites can exist on a server with this configuration. Each application pool can be throttled individually, limiting the individual application pool to a certain amount of processor time.
Web Gardens
Multiple worker processes can be set up to handle a single application pool. This is called a web garden. Web gardens allow for better multiprocessor scalability, since each worker process can have an affinity for a single processor, to increase the cache hits on that processor. If one worker process gets bogged down, the other ones can take up the slack. It also reduces the need to reboot the server, even when upgrading components, because the application pool can merely be restarted. The number of requests that should be queued for each application pool can be set in http.sys when running in worker process isolation mode. When this limit is reached, new requests to the full application pool are not processed, and the user gets an HTTP 503 error. For more details on application pools and these options, see Chapter 2.