Where the Metabase Took Us … and Fell Short The metabase in IIS is a hierarchical structure used for storing confi guration information.. It was introduced in IIS 4.0 as a replacement fo
Trang 1Figure 12.7 IIS 6.0 Metabase
■ Managing Worker Processes Managing worker processes includes starting, maintaining
information, recycling, and the time to restart them
Inetinfo.exe
A user mode component, Inetinfo.exe hosts the IIS metabase, FTP, SMTP, and NNTP services It
depends on the IIS Admin service to host the metabase
Where the Metabase Took Us … and Fell Short
The metabase in IIS is a hierarchical structure used for storing confi guration information It was
introduced in IIS 4.0 as a replacement for storing confi guration information in the registry The
metabase was improved in IIS 6.0, fi rst by formatting it into a text fi le using XML, and then by
allowing it to be edited while running
One of the metabase’s shortcomings is that it is diffi cult to read and diffi cult to locate exactly
what you’re looking for The old metabase supported outdated interfaces such as Admin Base
Objects (ABOs) It also incorporated its own access control lists (ACLs); therefore, it does not use the existing ACLs from the fi le system This made it very diffi cult to maintain Putting in or extending
the metabase schema was incredibly diffi cult Figures 12.7 and 12.8 show both metabase.xml and
mbschema.xml Notice how diffi cult it would be to fi nd something specifi c in either fi le.
Trang 2Metabase backup provided a way to ensure that restoration could take place in case of corruption
or if a server crashed Although effective, the tools used in backing up the metabase in IIS 6.0 were quite old It was not uncommon to back up the metabase and store it remotely by creating a common
batch fi le Using both xcopy.exe and iisback.vbs, one could automate the backup process To run a script
to conduct the backup, a user or IIS administrator had to be a member of the local Administrators group of the computer where they were backing up the metabase Figure 12.9 is an example of what
might be in a batch fi le that would use both xcopy.exe and iisback.vbs to back up the metabase.
Figure 12.8 IIS 6.0 Schema
Figure 12.9 Example of Backup Batch File
set server=servername
set name=%date%-%server%
iisback /backup /b %name% /e %password%
xcopy %windir%\system32\inetsrv\metaback\%name%.*…
\\backupserver\share$\server%
xcopy /o /x /e /h /y /c c:\web \backupserver\share$\%server%
Another method of backing up the metabase in IIS 6.0 was through the IIS Manager, which
would let an administrator save a copy of the metabase by right-clicking Web Sites and selecting
All Tasks | Save Confi guration to a File. You would then provide a fi lename and path for the backup IIS 6.0 then created a machine key to encrypt some metabase parts in this fi le This method then limited the backup to only being restored on the machine where it was originated To be able to use a backup conducted in this manner on a separate machine, required the administrator to select
Trang 3the Encrypt confi guration using password check box, which then substituted a password that the
administrator created for the place of the machine key that was typically created This was very easy
to overlook
Administration: A Review
IIS 6.0 administration was primarily done in the user interface with IIS Manager Very limited in
remote capabilities, administrators were required to loosen the network security settings for
Distributed Component Object Model (DCOM) so that true remote administration could take place
If remote administration was required and the traffi c had to go through a fi rewall, administrators had
to open TCP 135, thereby creating another security risk
Finally, IIS Manager dealt with administration at a high-level via category-based tabs, not
task-oriented, which is more detailed, less error prone, and easier to confi gure For instance, Web site security is exposed via the “Directory Security” tab as shown in Figure 12.10 This shows the lack of task-oriented security and the overall lack of organization available in IIS Manager
Figure 12.10 Web Sites Security in IIS Manager
Trang 4Another tool for administering IIS 6.0 was the use of adsutil.vbs This utility used VBScript along
with Active Directory Services Interfaces (ADSI), to modify an IIS confi guration One of the pitfalls
with using adsutil.vbs was that fi rst there was no ability to delegate to users, and thus you really couldn’t do so without increasing security risks Adsutil.vbs used old technology (ADSI); Microsoft is
encouraging administrators to use WMI instead since the release of Windows Server 2003 Microsoft included eight different scripts that used WMI to help administrators manage IIS The problem was that learning what eight different scripts did and how they made things more “simple” was
counterproductive IIS 7.0 remedies this with the implementation of Appcmd.exe The following are
the eight scripts that administrators needed to know:
■ iisapp.vbs Lists Web applications running on an IIS machine
■ iisback.vbs Backs up, restores, lists, and deletes IIS confi gurations
■ iisCnfg.vbs Exports and imports IIS confi gurations as XML fi le, able to copy
confi gurations and save them to disk
■ iisext.vbs Enables and lists applications; adds and removes application dependencies;
enables, disables, and lists Web service extensions; adds, removes, enables, disables, and lists Web service extension fi les
■ iisFtp.vbs Creates, deletes, starts, stops, and lists FTP sites, and confi gures Active Directory
user isolation for FTP sites
■ iisFtpdr.vbs Creates and deletes virtual directories within FTP sites, and displays the virtual
directories within a given root
■ iisvdir.vbs Creates and deletes virtual directories within Web sites, and displays the virtual
directories within a given root
■ iisweb.vbs Creates, deletes, starts, stops, and lists Websites
Troubleshooting Failed Requests with IIS 6.0
Regardless of the product and the manufacturer, troubleshooting is a fact of life and a skill that improves with experience and time IIS 6.0 improved its diagnostics capabilities from earlier versions Still, most of the utilities used for troubleshooting were add-on tools that were not part of IIS 6.0 itself, but provided by the operating system itself or were available for download The following is a list of tools or built-in features used for troubleshooting problems with IIS 6.0:
■ WFetch.exe Used for troubleshooting HTTP connections Can display the headers in
HTTP Requests and HTTP Response packets sent between a client and a server
■ File Monitor (FileMon.exe) Used for viewing and capturing fi le system activity in
real time
Trang 5■ Registry Monitor (RegMon.exe) Similar to File Monitor except that it is used for
viewing and capturing registry activity in real time
■ IIS Request Monitor Captures information about HTTP requests in IIS worker
processes; good for isolating and understanding problems when worker processes become
slow or unresponsive
■ Secure Sockets Layer Diagnostic Tool (SSLDiag) Useful in identifying confi guration
problems in the metabase, certifi cates, or certifi cate stores when running Web sites that use SSL
■ Authentication and Access Control Diagnostics (authdiag.exe) Provides the
ability to review, test, and correct problems or issues with authentication and authorization
■ IIS Enterprise Tracing for Windows New in Windows Server 2003, this tool allows
you to trace HTTP requests as they move through various components in the server
architecture
■ Network Monitor A network tracing tool that allows you to view activity on the
network
■ System Monitor Formerly known as Performance Monitor in Windows 2000, this tool
helps you to view and collect system performance data
■ HRPlus Provides error lookup functionality.
■ Microsoft Debugging Tools for Windows Used in debugging and diagnosing
application problems
As can be seen, IIS 6.0 has numerous add-on tools that were quite effective in troubleshooting
problems One feature that was expanded in service pack 1 (SP1) of Windows Server 2003 was
Enterprise Tracing for Windows (ETW) ETW works by implementing tracing providers used for
debugging and capacity planning It implements these providers to track HTTP requests as they move through IIS components For instance, if an ISAPI fi lter causes a delay or the hanging of an HTTP
request, ETW can help determine which ISAPI fi lter is at fault
Conducting an ETW tracing session can be quite cumbersome It involves everything from
obtaining each provider’s Globally Unique Identifi er (GUID), specifying fl ags and levels in a text fi le, starting the tracing session that held numerous switches, and fi nally generating the tracing report The following is an example of a command that starts up the tracing process; notice all the parameters and switches Once the tracing report was created it was usually diffi cult for administrators and developers
to pinpoint the cause of the failure
logman start iis_trace –pf iis_ providers.guid -ets
Basically, tracing in IIS 6.0 through ETW was diffi cult because it didn’t provide a user interface,
it was very diffi cult to restrict to certain extensions or paths, and it was not extensible so developers could not write custom events