Sunteți pe pagina 1din 522

OFFICIAL

MICROSOFT

LEARNING

PRODUCT

6427A:
Configuring and Troubleshooting Internet Information Services in Windows Server 2008

Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.

ii

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2008 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, Internet Explorer, Outlook, PowerPoint, SharePoint, SQL Server, Visual Basic, Visual C#, Visual Studio, Win32, Windows, Windows Media, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Technical Reviewer: Philip Morgan

Product Number: 6427A Part Number: X14-69082 Released: 12/2007

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft updates, supplements, Internet-based services, and support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply. By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content. If you comply with these license terms, you have the rights below.

1. DEFINITIONS. a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content. location, an IT Academy location, or such other entity as Microsoft may designate from time to time. conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course. Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions

c. Authorized Training Session(s) means those training sessions authorized by Microsoft and

d. Course means one of the courses using Licensed Content offered by an Authorized Learning

e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.

f.

Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.

g.

h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.

i.

Student Content means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf. Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content. Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.

j.

k. Trainer Content means the materials accompanying these license terms that are for use by

l.

m. Virtual Machine means a virtualized computing experience, created and accessed using

n.

2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media. License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS. a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may: i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session. iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

i.

Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.

ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session. personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own 4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not

contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course. Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to

c. Confidential Information. The Licensed Content, including any viewer, user interface, features

and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers. i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement. Survival. Your duty to protect confidential information survives this agreement.

ii.

iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a

protective order or otherwise protect the information. Confidential information does not include information that d. becomes publicly known through no wrongful act; you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or you developed independently.

Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (beta term). Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.

e.

f.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.


a. Authorized Learning Centers and Trainers: i. Software.

ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks. A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply: Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session. B. If the Virtual Hard Disks require a product key to launch, then these terms apply: Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key. C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements: o o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks. You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations. You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations. You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them. You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks. You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof. You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

o o o o

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the Course. iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use. iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation Software may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

The use of the Academic Materials will be only for your personal reference or training use You will not republish or post the Academic Materials on any network computer or broadcast in any media; You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in the format provided below: Form of Notice: 2008 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed

Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some

rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session; allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server; copy or reproduce the Licensed Content to any server or location for further reproduction or distribution; disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written approval; work around any technical limitations in the Licensed Content; reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation; make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation; publish the Licensed Content for others to copy;

transfer the Licensed Content, in whole or in part, to a third party; access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use; rent, lease or lend the Licensed Content; or use the Licensed Content for commercial hosting services or general business purposes. Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and

regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. Content marked as NFR or Not for Resale.

9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed 10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country. fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-

based services and support services that you use, are the entire agreement for the Licensed Content and support services.

13. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the

laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. This limitation applies to anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.

Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas.

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

xi

Contents
Module 1: Configuring an Internet Information Services 7.0 Web Server
Lesson 1: Introducing Internet Information Services 7.0 Lesson 2: Installing the Web Server Role in Windows Server 2008 Lesson 3: Configuring Application Development, Health and Diagnostics, and HTTP Features Lesson 4: Configuring Performance, Security, and SMTP Features Lab: Configuring an IIS 7.0 Web Server 1-3 1-7 1-15 1-22 1-29

Module 2: Configuring IIS 7.0 Web Sites and Application Pools


Lesson 1: Introducing Web Sites and Application Pools Lesson 2: Creating and Configuring Web Sites and Applications Lesson 3: Creating and Configuring a New Application Pool Lesson 4: Maintaining an Application Pool Lab: Configuring IIS 7.0 Web Sites and Application Pools 2-3 2-10 2-17 2-21 2-28

Module 3: Configuring IIS 7.0 Application Settings


Lesson 1: Configuring Application Settings Lesson 2: Configuring ASP.NET Security Lab: Configuring IIS 7.0 Application Settings 3-3 3-16 3-21

Module 4: Configuring IIS 7.0 Modules


Lesson 1: An Overview of IIS 7.0 Modules Lesson 2: Reviewing Native Module Functionality Lesson 3: Configuring Native Modules Lesson 4: Configuring Managed Modules Lab: Configuring and Editing Modules 4-3 4-8 4-13 4-21 4-27

xii

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

Module 5: Securing the IIS 7.0 Web Server and Web Sites
Lesson 1: Configuring Secure Web Sites and Servers Lesson 2: Configuring Other Aspects of Web Server Security Lesson 3: Configuring Logging for IIS 7.0 Lab: Securing the IIS 7.0 Web Server and Web Sites 5-3 5-17 5-26 5-35

Module 6: Configuring Delegation and Remote Administration


Lesson 1: Configuring Remote Administration Lesson 2: Configuring Delegated Administration Lesson 3: Configuring Feature Delegation Lab: Configuring Delegation and Remote Administration 6-3 6-12 6-16 6-24

Module 7: Using Command-line and Scripting for IIS 7.0 Administration


Lesson 1: Tools for Running Administrative Tasks in IIS Lesson 2: Executing Scripts for Administrative Tasks Lesson 3: Managing IIS Tasks Lab: Using Command-line and Scripting for IIS 7.0 Administration 7-3 7-9 7-16 7-24

Module 8: Tuning IIS 7.0 for Improved Performance


Lesson 1: Implementing Best Practices for Improving IIS Performance Lesson 2: Configuring Options to Improve IIS Performance Lesson 3: Managing Application Pools to Improve IIS Performance Lab: Tuning IIS 7.0 for Improved Performance 8-3 8-7 8-14 8-19

Module 9: Ensuring Web Site Availability with Web Farms


Lesson 1: Backing Up and Restoring Web Sites Lesson 2: Introducing Shared Configurations Lesson 3: Working with Shared Configurations Lesson 4: Configuring Network Load Balancing for IIS Lab: Ensuring Web Site Availability with Web Farms 9-3 9-8 9-16 9-24 9-31

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

xiii

Module 10: Troubleshooting IIS 7.0 Web Servers


Lesson 1: Using IIS 7.0 Logging for Troubleshooting Lesson 2: Troubleshooting Authentication and Authorization Lesson 3: Troubleshooting Communication Lesson 4: Troubleshooting Configuration Lab: Troubleshooting IIS 7.0 Web Servers 10-3 10-10 10-17 10-24 10-28

Lab Answer Keys

About This Course

xv

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course


This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.

Course Description
The purpose of this three-day course is to prepare you to configure, manage, and support Internet Information Services 7.0 (IIS 7.0) in an enterprise environment.

Audience
The primary audience for this course is individuals who want to become a Web server administrator in an enterprise environment. Also, individuals who are assuming a new role requiring skills to manage content served by an IIS 7.0 Web server over the Internet, an intranet, and extranet, should be interested in this course. The secondary audience for this course is Web-based applications developers with networking skills who wish to learn more about IIS 7.0.

Student Prerequisites
This course requires that you meet the following prerequisites: Or A minimum of 1 year of experience administering and supporting a Web Server role using Windows Server 2003 Network + certification Course 6420 Foundational Series: Fundamentals of a Windows Server 2008 Network Infrastructure and Application Platform

xvi

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Objectives
After completing this course, students will be able to: Install the Web Server role using Server Manager, on Server Core, and from an unattended setup. Configure IIS role services such as HTTP; security; performance and diagnostics; and management features. Configure IIS 7.0 Web sites and application pools. Configure application settings using ASP.NET. Configure and manage modules in IIS7.0. Secure Web sites and servers. Configure delegation and remote administration. Use command line tools like PowerShell and AppCmd for scripting IIS7.0. Configure Web sites and servers for the best performance. Ensure high availability of Web farms using backup and restore, Network Load Balancing, and shared configurations. Use various tools to troubleshoot common Web server-related issues with authentication, authorization, communication, and configuration.

About This Course

xvii

MCT USE ONLY. STUDENT USE PROHIBITED

Course Outline
This section provides an outline of the course: Module 1, "Configuring an IIS 7.0 Web Server" This module covers how to install the Web Server role on Windows Server 2008 and how to configure the most common features of IIS. Module 2, "Configuring IIS 7.0 Web Sites and Application Pools" This module covers how to create, configure, and manage new Web sites, applications, and application pools. Module 3, "Configuring IIS 7.0 Application Settings" This module covers how to configure application settings and how to deploy and secure multiple applications on a single Web server. Module 4, "Configuring IIS 7.0 Modules" This module covers how to configure and edit native and managed modules. Module 5, "Securing the IIS 7.0 Web Server and Web Sites" covers how to secure Web sites and servers including configuring and managing authorization, authentication, and restrictions. Module 6, "Configuring Delegation and Remote Administration" This module covers how to use the delegated rights assignment and remote administration features in IIS 7.0. Module 7, "Using Command-line and Scripting for IIS 7.0 Administration" This module covers how to use command-line and scripting for IIS 7.0 Administration. Module 8, "Tuning IIS 7.0 for Improved Performance" This module covers some best practices for improving performance in IIS 7.0 including how to manage applications pools to achieve performance goals. Module 9, "Ensuring Web Site Availability with Web Farms" This module covers how to ensure high availability of Web farms using backup and restore, Network Load Balancing, and shared configurations. Module 10, "Troubleshooting IIS 7.0 Web Servers" This module covers how to use logging and the new tracing infrastructure to troubleshoot and fix some common types of problems.

xviii

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Materials
Course Handbook. The Course Handbook contains the material covered in class. It is meant to be used in conjunction with the Course Companion CD. Course Companion CD. The Course Companion CD contains the full course content, including expanded content for each topic pages, full lab exercises and answer keys, topical and categorized resources and Web links. It is meant to be used both inside and outside of the class.

Note: To access the full course content, insert the Course Companion CD into the CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.

Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.

About This Course

xix

MCT USE ONLY. STUDENT USE PROHIBITED

Virtual Machine Environment


This section provides the information for setting up the classroom environment to support the business scenario of the course.

Virtual Machine Configuration


In this course, you will use Microsoft Virtual Server 2005 to perform the labs.

Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the host computer, click Start | All Programs | Microsoft Virtual Server, Virtual Server Administration Website. 2. Under Navigation, click Master Status. 3. For each virtual machine that is running, point to the virtual machine name, and then in the context menu, click Turn off Virtual Machine and Discard Undo Disks. 4. Click OK.

The following table shows the role of each virtual machine used in this course:
Virtual machine NYC-DC1 NYC-SVR1 NYC-SVR2 NYC-SVR3 NYC-WEB2 NYC-WEB-A NYC-WEB-B NYC-WEB-C NYC-WEB-D Role Domain controller for woodgrovebank.com Member server used to install IIS Member server used to install IIS Member server used to install IIS A secondary Web server A primary Web server A primary Web server A primary Web server A primary Web server

xx

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Software Configuration
The following software is installed on each VM: Windows Server 2008 Enterprise Edition

Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.

Course Hardware Level


To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

Configuring an Internet Information Services 7.0 Web Server

1-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 1
Configuring an Internet Information Services 7.0 Web Server
Contents:
Lesson 1: Introducing Internet Information Services 7.0 Lesson 2: Installing the Web Server Role in Windows Server 2008 Lesson 3: Configuring Application Development, Health and Diagnostics, and HTTP Features Lesson 4: Configuring Performance, Security, and SMTP Features Lab: Configuring an IIS 7.0 Web Server 1-3 1-7 1-15 1-22 1-29

1-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

Internet Information Services 7.0 provides the components necessary for the Web server role of the Microsoft Windows Server 2008 platform. Internet Information Services is an add-on server role for Windows Server 2008. This module briefly introduces the new component-based setup model of IIS 7.0. In this module, you will learn the fundamental workload scenarios for Web servers, and how to prepare for and install the Web server role of the Windows Server 2008 platform. You will also learn how to configure the most common features of IIS.

Configuring an Internet Information Services 7.0 Web Server

1-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:

Introducing Internet Information Services 7.0

Before implementing Internet Information Services, it is important to understand the technology and components that comprise the Internet Information Services 7.0 Web server role. This lesson describes common scenarios, components, and technologies related to Internet Information Services.

1-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Introducing IIS 7.0 Architecture

Key Points
Internet Information Services 7.0 introduces some important architectural changes from IIS 6.0. The new modular design allows administrators to install only what is needed, thereby reducing footprint, attack surface, and management overhead. It also allows custom modules to be installed to extend the Web server features. The key features of the new modular design are: Completely modular Web server Native extensibility .NET extensibility

Configuring an Internet Information Services 7.0 Web Server

1-5

MCT USE ONLY. STUDENT USE PROHIBITED

The key advantages of the unified pipeline are: All content is server through same pipeline Configuration is cached and can be changed without restarting the server

The Web server role can be installed on Windows Server 2008 Server Core. Server Core is a minimal installation of Windows Server 2008 with no local graphical user interface and a small footprint. The key advantages of running IIS on Server Core are: No added overhead Completely remote administration

Question: Which features of the new IIS 7.0 architecture will you use in your organization?

1-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

What Are Typical Workloads?

Key Points
A workload describes the type of content and applications that the Web server will provide. Before installing the Web server role, it is important to understand how the server will be used so that the proper components are installed. Question: Why is it not a good idea to install all of the components on every server?

Configuring an Internet Information Services 7.0 Web Server

1-7

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:

Installing the Web Server Role in Windows Server 2008

Deploying IIS requires an understanding of the various installation methods available and the scenarios to which they apply. In addition, understanding the new Server Core and Virtualized environment will help you make the most of the available resources in your organization. This lesson provides information to help you understand the installation options and requirements for deploying IIS 7.0 in a variety of environments.

1-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Choosing an Installation Method

Key Points
There are three methods of installing IIS 7.0. The most common method is via the Graphical User Interface (GUI). In Windows Server 2008 this is done through Role Manager which is part of the Server Manager tool. Using the command line interface, Pkgmgr can be used to install the IIS role and components either as a series of command lines or by using an XML file for unattended setup. Question: What installation methods do you currently use to deploy IIS in your organization?

Configuring an Internet Information Services 7.0 Web Server

1-9

MCT USE ONLY. STUDENT USE PROHIBITED

Installing IIS from the Role Manager

Key Points
Server Manager provides the setup user interface on Windows Server 2008. It replaces Manage Your Server in Microsoft Windows Server 2003. Server Manager also provides server role management Here you can access a role's installed state, current status, and management tasks. Question: What are the scenarios in which you would you use the GUI to install the IIS role?

1-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Installing IIS from the Command Line Using Pkgmgr

Key Points
The new command line tool for installing optional features in Windows Vista and Windows Server 2008 is Pkgmgr.exe. It replaces sysocmgr.exe for installing Windows Optional Features on previous versions of Windows. Pkgmgr.exe allows you to install / uninstall Windows Optional Features directly from command prompt or from scripts. For example, it can take a list of Windows features to install on the command line, or it can take an xml file name as a parameter for unattended installations.

Configuring an Internet Information Services 7.0 Web Server

1-11

MCT USE ONLY. STUDENT USE PROHIBITED

Installing IIS Using Unattended Setup

Key Points
Xml files containing the information necessary for an unattended installation can be written and provided to Setup.exe for installation of IIS 7.0 during the initial installation of the Windows operating system. Alternately, an unattended XML file can be written and used with pkgmgr.exe to install IIS and its features after the operating system has been installed.

Question: When would you choose to install using unattended setup with an XML file versus through specifying the installation options through the command line?

1-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Selecting the Appropriate Workload

Key Points
Installing IIS 7.0 from the command line requires that you explicitly specify the features you wish to have installed by name. You will also need to ensure that any dependencies get specified in the installation syntax. Failure to include dependencies in the setup syntax will cause the installation to be unsuccessful.

Configuring an Internet Information Services 7.0 Web Server

1-13

MCT USE ONLY. STUDENT USE PROHIBITED

Installing IIS on Windows Server 2008 Server Core

Key Points
Windows Server 2008 Server Core does not have a graphical user interface, so you must install the IIS role at the command line or via unattended setup. Question: How might you deploy Server Core Web servers in your organization?

1-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Installing IIS in a Virtualized Environment

Key Points
If several servers run applications that consume only a fraction of the available resources, virtual machine technology can be used to enable them to run side by side on a single server, even if they require different versions of the operating system or middleware. Windows Server virtualization provides customers an ideal platform for key virtualization scenarios, such as: Production server consolidation Business continuity management Software test and development Dynamic data center

Question: How might your organization benefit from virtualization?

Configuring an Internet Information Services 7.0 Web Server

1-15

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3:

Configuring Application Development, Health and Diagnostics, and HTTP Features

It is important to understand the basic configuration schema and most common settings to configure Internet Information Services 7.0 successfully. This lesson describes those configuration considerations and the most common scenarios and their associated configuration settings. Additionally, it provides an overview of the configuration hierarchy and how to perform initial configuration tasks to ensure your Web server is functional.

1-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

How Is IIS 7.0 Configured?

Key Points
The configuration of IIS 7.0 is stored in XML configuration files. The XML configuration files: Replace the Metabase of previous versions of IIS Can be modified through various configuration interfaces Are fully extensible

Question: When would you use the Command Line configuration tool to modify the configuration instead of IIS Manager?

Configuring an Internet Information Services 7.0 Web Server

1-17

MCT USE ONLY. STUDENT USE PROHIBITED

Where Are Configuration Files Stored?

Key Points
Every level of the URL namespace may have associated configuration. Configuration for a given level inherits down to child levels, unless specifically overridden by a child level. A simple way to achieve per-URL configuration is by using web.config files, in the physical file-system folders that are mapped to the virtual paths.

1-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Application Development Features

Key Points
Configuring ASP.NET: IIS 7.0 is configured to use the new Integrated mode for new applications and this is the default behavior. The pipeline mode and .NET Framework version are configured by using the application pool settings.

Configuring Classic ASP: In IIS Manager or by using the APPCMD.EXE command line tool, set the ASP behavior settings to match the needs of the application. Set the debugging properties such whether to Send Errors to the Browser. Give appropriate permissions to the ASP Application Pool identity.

Configuring an Internet Information Services 7.0 Web Server

1-19

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Fast-CGI and PHP: Install PHP (available from http://www.php.net). Modify the PHP.INI file per the needs of the PHP application. Map the PHP extension to the Fast-CGI module.

Question: Which of these settings apply to the applications in your organization?

1-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Health and Diagnostic Features

Key Points
Configure the appropriate Health and Diagnostics features depending on the needs and maturity of your sites and applications.

Note: More information on configuring Health and Diagnostics features will be covered in Module 10.

Question: In what scenarios would you want to enable more detailed Health and Diagnostics features?

Configuring an Internet Information Services 7.0 Web Server

1-21

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring HTTP Features

Question: Why is the HTTP Timeout setting important?

1-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 4:

Configuring Performance, Security, and SMTP Features

In addition to basic configuration, there are a few performance and security features that are commonly configured during or just after installation. This lesson describes these features and the common settings and scenarios in which they might be enabled.

Configuring an Internet Information Services 7.0 Web Server

1-23

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Performance Features

Key Points
Static caching will cache static content such as HTML pages and graphics files. This can greatly improve page response times for clients. To enable static caching: Add a cache rule in IIS Manager Configure the file types that you want to cache, such as JPG or HTML. Set the change notification

1-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Dynamic Output caching will cache versions of output that change depending on a Web applications output. For example, you may have a page that is nearly identical except for localized text. You can cache the possible versions of the page and automatically reload the content into the cache if it has expired. To enable Dynamic Output Caching: Add a cache rule in IIS Manager Set a time interval Set the differentiator that distinguishes the versions, such as localized language or other variable(s) used by the Web application.

There are other settings that will be covered in more detail in later modules, such as application pools, http compression, network, and operating system settings.

Configuring an Internet Information Services 7.0 Web Server

1-25

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Security Features

Key Points
Configure the security settings to match the needs of the sites and applications.

Note: These settings will be covered in more detail in later modules.

Question: What are the security needs of the applications in your organization?

1-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring SMTP Features

Key Points
Some Web sites need to send email through an SMTP (Simple Mail Transfer Protocol) server. To enable this functionality, you need to configure information needed to contact the SMTP server. This can be accomplished through the Site settings in IIS Manager. Question: What are some examples of sites that use SMTP?

Configuring an Internet Information Services 7.0 Web Server

1-27

MCT USE ONLY. STUDENT USE PROHIBITED

Discussion: How Is Your Current Environment Deployed?

Key Points
Discuss your organization's current environment in a classroom discussion, led by your instructor, and determine possible installation and configuration solutions in IIS7.

Number of Machines and Sites


How many physical servers are operating as Web sites in your organization? How many sites? Are they configured similarly or differently? Why?

1-28

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Possible Installation Methods


Based on the previous discussion, how might you install IIS in your environment? How would you add new servers for different scenarios, such as testing, development or production?

Server Core and Virtualization Opportunities


Think about the different servers and sites in your organization. How might you use Server Core or Virtualization to make the most of your physical machines? Is there room for consolidation? How might you streamline using new machines?

Configuring an Internet Information Services 7.0 Web Server

1-29

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring an IIS 7.0 Web Server

Exercise 1: Installing IIS Using Role Manager


Scenario
You receive a service request from the Enterprise Design Team to prepare three Web servers to host Web sites and Web applications. One of the companies acquired by Woodgrove Bank has a classic ASP application that needs to be hosted in IIS7.

Exercise Overview
In this exercise, you will learn how to install IIS 7.0 using Role Manager. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin. Turn on Network Discovery. Install the Web server role.

1-30

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin


Start 6427A-NYC-SVR1, and log on as LocalAdmin with the password of Pa$$w0rd.

Task 2: Turn on Network Discovery


Open Network and Sharing Center and turn on Network Discovery and File Sharing for all public networks.

Task 3: Install the Web server role


Use Server Manager to add the Web Server (IIS) role and ASP as a required service. Test functionality by loading http://localhost in the browser.
Results: After this exercise, you should have successfully verified that the Web Server (IIS) role is installed and loaded the IIS Welcome page in Internet Explorer.

Configuring an Internet Information Services 7.0 Web Server

1-31

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Installing IIS Using Unattended Setup


Scenario
Now you will set up the second IIS Web server to host the new ASP.NET application. You will install IIS by creating an Unattend.XML file based on the example given on the student CD by modifying it to only install the features needed. This will be an ASP.NET application server and will need to have all security, compression and caching features installed so that development can experiment with configuration.

Exercise Overview
In this exercise, you will learn how to install IIS using unattended setup. This exercises main tasks are: 1. 2. 3. 4. Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin. Turn on Network Discovery. Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features. Install IIS using Pkgmgr with the Unattend.XML file and verify once completed.

Task 1: Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin


Start 6427A-NYC-SVR3, and log on as LocalAdmin with the password of Pa$$w0rd.

Task 2: Turn on Network Discovery


Open Network and Sharing Center and turn on Network Discovery and File Sharing for all public networks.

1-32

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features
1. Open E:\mod01\labfiles\unattend.xml in Notepad and delete the following lines:
<selection <selection <selection <selection <selection <selection <selection <selection <selection <selection name="IIS-HttpRedirect" state="true"/> name="IIS-ASP" state="true"/> name="IIS-CGI" state="true"/> name="IIS-ISAPIExtensions" state="true"/> name="IIS-ISAPIFilter" state="true"/> name="IIS-IIS6ManagementCompatibility" state="true"/> name="IIS-Metabase" state="true"/> name="IIS-WMICompatibility" state="true"/> name="IIS-LegacyScripts" state="true"/> name="IIS-LegacySnapIn" state="true"/>

2.

Save the modified file to c:\unattend.xml.

Task 4: Install IIS using Pkgmgr with the Unattend.XML file and verify once completed
1. 2. 3. Start /w pkgmgr /n:unattend.xml to install IIS. Verify installation by using the command echo %errorlevel%. Use Server Manager to verify that the Web server role is installed, and open http://localhost in the browser.
Results: After this exercise, you should have successfully installed IIS using an unattend file and verified the IIS Welcome page.

Configuring an Internet Information Services 7.0 Web Server

1-33

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Installing IIS on Server Core from Command Line


Scenario
The final server you will install is a Server Core Web server that will act primarily as a redirection server to the ASP server.

Exercise Overview
In this exercise, you will learn how to install IIS via the command line in a Server Core environment. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator. Disable the firewall. Install IIS from the command line.

Task 1: Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator


Start 6427A-NYC-SVR2, and log on as Administrator with the password of Pa$$w0rd.

Task 2: Disable the firewall


On NYC-SVR2, in the command prompt window, type netsh firewall set opmode disable and press Enter.

1-34

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Install IIS from the command line


1. Type the following and then press Enter. Note that the feature names are casesensitive:
Start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IISCommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IISHttpErrors;IIS-HttpRedirect;WAS-WindowsActivationService;WASProcessModel

2.

When the process completes, type echo %errorlevel%, and then press Enter.

On NYC-SVR1, in Internet Explorer, browse to http://nyc-svr2 to verify functionality.


Results: After this exercise, you should have successfully installed IIS on Microsoft Server 2008 Server Core from the command line and verified by loading the IIS Welcome page from another machine running Internet Explorer.

Configuring an Internet Information Services 7.0 Web Server

1-35

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Configuring IIS and Validating Functionality


Scenario
With the three Web servers installed, configure each as necessary to perform its function.

Exercise Overview
In this exercise, you will configure common IIS features and validate functionality. This exercises main tasks are: 1. 2. Configure NYC-SVR1 for ASP debugging, detailed error messages, HTTP compression and SMTP Service. Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression. Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1.

3.

Task 1: Configure NYC-SVR1 for ASP debugging, detailed error messages, and HTTP compression
1. On NYC-SVR1, in Internet Information Services (IIS) Manager, under ASP Compilation settings, enable Client-side and Server-side debugging. Enable Send Errors to Browser. 2. Under HTTP Response Headers, set Expire Web Content. Under Compression, enable Static Content Compression. Under Error Pages, enable Detailed error messages.

On NYC-SVR3, in Internet Explorer, browse to a page on NYC-SVR1 that does not exist, such as http://nyc-svr1/default.asp to check error functionality.

1-36

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression and SMTP
1. On NYC-SVR3, in Internet Information Services (IIS) Manager, under Failed Request Tracing, enable Failed Request Tracing. 2. 3. 4. Add a rule to trace status code 500 for critical errors.

Enable Directory Browsing, Windows Authentication, and ASP.NET Impersonation. In Server Manager, add the UDDI Services role and configure it to not require SSL. In IIS Manager, under Output Caching, add a cache rule for the aspx extension to enable User-mode caching. Under ASP.NET, configure SMTP email for email address NYCSVR3@WoodGroveBank.com, server name SMTP.WoodgroveBank.com.

5.

Test the configuration by browsing to http://localhost/uddi. Browse to http://localhost/aspnet_client and investigate the failed request log.

Configuring an Internet Information Services 7.0 Web Server

1-37

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1
1. On NYC-SVR2, in the command prompt window, type cd \windows\system32\inetsrv\config and then press Enter. Type edit applicationHost.config and then press Enter. Scroll down to <defaultDocument enabled="true"> (approximately line 169), and change "true" to "false". Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and modify this line to read:
<httpRedirect enabled="true" exactDestination="false" childOnly="false" destination="http://10.10.0.24/" />

2.

On NYC-SVR3, in Internet Explorer, browse to http://nyc-svr2 to test the redirection.


Results: After this exercise, you should have successfully configured and verified the configuration of the three web servers.

1-38

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. 2. 3. 4. What is the benefit of a modular architecture? Describe various scenarios in which organizations may benefit from implementing IIS on Windows Server Core. Which installation method can be used with scripting? Which workloads are not available on Windows Server Core?

Configuring IIS 7.0 Web Sites and Application Pools

2-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2
Configuring IIS 7.0 Web Sites and Application Pools
Contents:
Lesson 1: Introducing Web Sites and Application Pools Lesson 2: Creating and Configuring Web Sites and Applications Lesson 3: Creating and Configuring a New Application Pool Lesson 4: Maintaining an Application Pool Lab: Configuring IIS 7.0 Web Sites and Application Pools 2-3 2-10 2-17 2-21 2-28

2-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

IIS 7.0 makes Web sites and applications more secure by automatically isolating them, providing sandboxed configuration and unique process identity by default. This module briefly introduces the new integrated pipeline mode of IIS 7.0 and new features of application pools. In this module, you will learn the how to create new sites, applications, and application pools. You will also learn how to configure and manage application pools.

Configuring IIS 7.0 Web Sites and Application Pools

2-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:

Introducing Web Sites and Application Pools

Before configuring application pools, it is important to understand how application pools relate to Web sites in the new pipeline model and the implications to authentication. In this lesson, you will learn about Web sites and application pools, and how authentication works in IIS. You will also learn about the default application pool properties.

2-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

How Are Web Sites and Application Pools Used?

Key Points
An application pool is a group of one or more URLs that are served by a worker process or a set of worker processes. Application pools set boundaries for the applications they contain, which means that any applications running outside of a given application pool cannot affect the applications within the application pool. Question: Do you have multiple applications running under one application pool in your organization?

Configuring IIS 7.0 Web Sites and Application Pools

2-5

MCT USE ONLY. STUDENT USE PROHIBITED

Review of the Unified Request Processing Pipeline in IIS 7.0

Key Points
In IIS7, the ASP.NET request processing pipeline overlays the IIS pipeline directly, essentially providing a wrapper over it instead of plugging into it. A request arriving for any content type is processed by IIS, with both native IIS modules and ASP.NET modules being able to provide request processing in all stages. This enables services provided by ASP.NET modules like Forms Authentication or Output Cache to be used for requests to ASP pages, PHP pages, static files, and so on.

2-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

The ability to plug in directly into the server pipeline allows ASP.NET modules to replace, run before, or run after any IIS functionality. This enables, for example, a custom ASP.NET basic authentication module written to use the Membership service and SQL Server user database to replace the built in IIS basic authentication feature that works only with Windows accounts. Question: What is an ISAPI filter and why was it used in IIS 6.0?

Configuring IIS 7.0 Web Sites and Application Pools

2-7

MCT USE ONLY. STUDENT USE PROHIBITED

How Does Authentication Work in IIS 7.0?

Key Points
The identity of an application pool is the name of the service account under which the application pool's worker process runs. By default, application pools operate under the Network Service user account, which has low-level user access rights. You can configure application pools to run under one of the built-in user accounts in the Microsoft Windows Server 2008 operating system. For example, you can specify the Local System user account, which has higher-level user privileges than either the Network Service or Local Service built-in user accounts. However, remember that running an application pool under an account with high-level user rights is a serious security risk. Question: What are the scenarios in your organization that you might use a custom identity for an application pool?

2-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Review of Authentication Types

Key Points
Authentication is the process for verifying that an entity or object is who or what it claims to be. IIS 7.0 supports the following authentication methods: Basic authentication prompts the user for a user name and a password, also called credentials, which are sent unencrypted over the network. Integrated Windows authentication uses hashing technology to scramble user names and password before sending them over the network. Digest authentication operates much like Basic authentication, except that passwords are sent across the network as a hash value. Digest authentication is only available on domains with domain controllers running Windows Server operating systems. Anonymous authentication allows everyone access to the public areas of the Web sites, without asking for a user name or password.

Configuring IIS 7.0 Web Sites and Application Pools

2-9

MCT USE ONLY. STUDENT USE PROHIBITED

What Are the Default Application Pool Properties?

Key Points
The default application pool is named DefaultAppPool. It is set to use ASP.NET integrated mode and runs under the Network Service identity. Question: What application pool settings would you change if upgrading a key server from IIS 6.0 to II 7.0 in your environment?

2-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:

Creating and Configuring Web Sites and Applications

In this lesson, you will learn the difference between sites and applications, and how to create sites and applications. You will also learn how to configure virtual directories and authentication, and some scenarios and best practices for hosting sites in a virtualized environment.

Configuring IIS 7.0 Web Sites and Application Pools

2-11

MCT USE ONLY. STUDENT USE PROHIBITED

Creating a Web Site

Key Points
When you want to publish content for access over the Internet or an intranet connection, you can add a Web site to your Web server to hold the content. Question: Why would you add more than one site to a server?

2-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

What Is a Web Application?

Key Points
An ASP.NET Web application, in its simplest form, consists of a directory made available by means of HTTP, using the IIS administration tool or through the Web Sharing tab of a folders Properties dialog box (or by creating a webapplication project in Microsoft Visual Studio .NET) and at least one ASP.NET page, designated by the .aspx file extension. This file (or files), typically contains a mix of HTML and server-side code. The HTML and server-side code combine to create the final output of the page, typically consisting of HTML markup that is sent to the client browser. Question: What are some examples of Web applications?

Configuring IIS 7.0 Web Sites and Application Pools

2-13

MCT USE ONLY. STUDENT USE PROHIBITED

Creating a Web Application

Key Points
A Web application is a grouping of content at the root level of a Web site or a grouping of content in a separate folder below the Web site's root directory. When you add a Web application in IIS 7.0, you designate a directory as the application root, or starting point, for the application and then specify properties specific to that particular application, such as the application pool that the application will run in. Question: What permission level is needed to create a Web application?

2-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Creating a Virtual Directory

Key Points
A virtual directory is a directory name, used in an address, which corresponds to a physical directory on the server. You can add a virtual directory to include directory content in a Web site or Web application without needing to move the content physically into that Web site or Web application directory. Question: How might your organization benefit from virtual directories?

Configuring IIS 7.0 Web Sites and Application Pools

2-15

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Authentication

Key Points
You can configure IIS to authenticate users before they are permitted access to a Web site, a folder in the site, or even a particular document contained in a folder in the site. Authentication in IIS can be used to strengthen the level of security on sites, folders, and documents that are not to be viewed by the general public. Authentication in IIS is critical when resources are not meant for anonymous or public access, but when the Web server must be accessible to approved users over the Internet. Examples of Web site applications that require authentication access control include Microsoft Outlook Web Access (OWA) and the Microsoft Terminal Services Advanced Client. Question: When would you configure authentication at the site level versus the application level?

2-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Hosting Web Sites in a Virtualized Environment

Key Points
IIS 7.0 can run on a virtual machine. To get the most from this configuration: On a 64-bit host machine, enable 32-bit processes and run multiple 32-bit Web server (each will have access to up to 4GB memory). Consolidate legacy Web sites and applications to virtual servers running older operating systems to free hardware and resources. Use virtual machines to further isolate sites. Deploy identical virtual servers with virtual directories hosted on network attached storage to host multiple sites.

Question: How would you virtualize your organization's servers?

Configuring IIS 7.0 Web Sites and Application Pools

2-17

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3:

Creating and Configuring a New Application Pool

Application pools allow you to apply configuration settings to groups of applications and the worker processes that service those applications. Any Web site, Web directory, or virtual directory can be assigned to an application pool. In this lesson, you will learn how to create an application pool and set its basic properties. You will also learn how to modify an existing application pool.

2-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Creating an Application Pool

Key Points
Application pools isolate Web sites and Web applications to address reliability, availability, and security issues. Question: What is the impact of creating too many application pools?

Configuring IIS 7.0 Web Sites and Application Pools

2-19

MCT USE ONLY. STUDENT USE PROHIBITED

Setting Basic Properties of an Application Pool

Key Points
You can configure the basic settings for the application pool. Question: When would you want to configure the application pool through a script?

2-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring IIS 7.0 Application Pools

Key Points
Configure an Application Pool's Advanced Settings to change the pipeline mode and configure health management and recycling settings. Question: Why is the timeout setting important?

Configuring IIS 7.0 Web Sites and Application Pools

2-21

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 4:

Maintaining an Application Pool

In addition to basic configuration, there are some specific tasks you may need to perform periodically to maintain application pools. This lesson describes these tasks and the common settings and scenarios in which they might be performed.

2-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Recycling Application Pools

Key Points
Recycling only works on an application pool that is already running.

Configuring IIS 7.0 Web Sites and Application Pools

2-23

MCT USE ONLY. STUDENT USE PROHIBITED

Stopping an Application Pool

Key Points
Stopping an application pool causes the WWW service to shut down all running worker processes serving that application pool. The WWW service does not restart these worker processes. An administrator must restart all stopped application pools. All applications routed to a stopped application pool receive 503 Service Unavailable errors. Question: Why would you stop an application pool instead of recycling it?

2-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Editing All Application Pool Properties

Key Points
Not all settings are available in the Basic properties.

Configuring IIS 7.0 Web Sites and Application Pools

2-25

MCT USE ONLY. STUDENT USE PROHIBITED

Renaming an Application Pool

Key Points
You might decide to rename an application pool to better associate it with the applications it contains.

2-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Removing an Application Pool

Key Points
If an application pool does not have any applications assigned to it, you can remove the application pool. However, if the application pool has applications assigned to it, you must assign those applications to another application pool before removing the original application pool. Applications cannot run unless they are associated with an application pool.

Configuring IIS 7.0 Web Sites and Application Pools

2-27

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Authentication

Key Points
You can perform this procedure by using the user interface (UI), by running IIS 7.0 command-line tool commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

2-28

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring IIS 7.0 Web Sites and Application Pools

Exercise 1: Configuring Authentication Types


Scenario
You receive a service request from the Enterprise Design Team to organize the existing NYC-WEB-A server into virtual directories by access level. There will be two access levels: public and restricted. Anyone on the network should be able to access the public content. Only authenticated users should be able to access restricted.

Exercise Overview
In this exercise, you will learn how to create virtual directories and configure anonymous authentication.

Configuring IIS 7.0 Web Sites and Application Pools

2-29

MCT USE ONLY. STUDENT USE PROHIBITED

This exercises main tasks are: 1. 2. 3. 4. 5. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add Basic, Windows Integrated and Digest Security features to the IIS Role. Create a virtual directory named Public. Configure the public virtual directory for anonymous authentication.

Task 1: Start the 6427A-NYC-DC1 virtual


Start 6427A-NYC-DC1.

Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator


Start 6427A-NYC-WEB-A, and log on as LocalAdmin with the password of Pa$$w0rd.

Task 3: Add Basic, Windows Integrated and Digest Security features to the IIS Role
Use Server Manager to add the Basic Authentication, Windows Authentication, and Digest Authentication role services to the Web server role.

Task 4: Create a virtual directory named public


Use Internet Information Services Manager to create a virtual directory named public pointing to the physical directory c:\inetpub\public. Copy the contents of c:\inetpub\wwwroot to c:\inetpub\public.

2-30

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Configure the public virtual directory for anonymous authentication


1. 2. 3. 4. 5. Use Internet Information Services Manager to make sure that Anonymous Authentication is enabled for Public. In Server Manager, enable the local Guest account, and allow Guest to log on locally. Use Switch User to logon as NYC-WEB-A\Guest with no password. Open http://localhost/public in the browser to verify that the local guest can browse to the public directory. Use Switch user to login as local administrator with password of Pa$$w0rd before continuing with next exercise.
Results: After this exercise, you should have successfully verified that the Public directory is created. and loaded the IIS Welcome page in Internet Explorer with the Guest account.

Configuring IIS 7.0 Web Sites and Application Pools

2-31

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Creating a Web Site and Web Application


Scenario
Next you will create two web sites, and two web applications, in the employee and restricted virtual directories, named Woodgrove and Exec respectively. Exec will be a .NET 3.0 application. You will also delegate administrative access to ITAdmins_WoodgroveGG.

Exercise Overview
In this exercise, you will learn how to create web sites and applications. This exercises main tasks are: 1. 2. 3. 4. Create a site named Woodgrove. Copy the Woodgrove application to the appropriate directory. Add the .NET 3.0 Feature to the server. Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG.

Task 1: Create a site named Woodgrove


On NYC-WEB-A, in IIS Manager, add a Web site named Woodgrove and set its physical path to c:\inetpub\woodgrove, and its http port to 88.

Task 2: Copy the Woodgrove Application to the Appropriate Directory


Copy the Woodgrove application from e:\Mod02\Labfiles\Woodgrove to c:\inetpub\woodgrove.

Task 3: Add the .NET 3.0 Feature and ASP.NET to the server
In Server Manager, add .NET 3.0 Framework and ASP.NET.

2-32

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG


In IIS Manager, under Permissions, give Full Control to the security group ITAdmins_WoodgroveGG.
Results: After this exercise, you should have successfully installed .NET 3.0 Framework, ASP.NET, and created the Woodgrove site and copied its content.

Configuring IIS 7.0 Web Sites and Application Pools

2-33

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Creating an Application Pool


Scenario
You will now create a new application pool for temporary applications..

Exercise Overview
In this exercise, you will learn how to create an application pool. This exercises main task is: 1. Create an application pool named TempPool.

Task 1: Create an application pool named TempPool


On NYC-WEB-A, in IIS Manager, add an application pool named TempPool.
Results: After this exercise, you should have successfully added an application pool named TempPool.

2-34

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Configuring an Existing Application Pool


Scenario
Next, you will configure the new application pools according to the needs for the new applications. You will also practice starting, stopping, and recycling the application pools and configuring health settings. You will also rename the Exec and Woodgrove pools to ExecPool and WoodgrovePool.

Exercise Overview
In this exercise, you will configure the application pools and validate functionality. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Rename Woodgrove to WoodgrovePool. Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users. Configure TempPool to use LocalSystem as worker process identity. Stop, start and recycle WoodgrovePool. Configure TempPool for Classic Pipeline Mode. Remove TempPool. Configure Health and Recycling settings for WoodgrovePool.

Task 1: Rename Woodgrove to WoodgrovePool


On NYC-WEB-A, in IIS Manager, rename the Woodgrove application pool to WoodgrovePool.

Task 2: Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users
1. 2. In IIS Manager, disable Anonymous authentication for the Woodgrove site. On NYC-SVR1, logon as LocalAdmin with password Pa$$w0rd. Note that this machine is not joined to the domain. Browse to http://nyc-web-a.woodgrovebank.com, then browse to http://nyc-web-a-woodgrovebank.com:88 and compare results. On NYC-WEB-A, browse to http://localhost:88 and compare results.

3.

Configuring IIS 7.0 Web Sites and Application Pools

2-35

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Configure TempPool to use LocalSystem as worker process identity


In IIS Manager, configure the TempPool application pool to use LocalSystem as its worker process identity.

Task 4: Stop, start and recycle WoodgrovePool


1. 2. 3. In IIS Manager, stop the WoodgrovePool application pool and note the status. Start the WoodgrovePool application pool and note the status. Recycle WoodgrovePool and note the status.

Task 5: Configure TempPool for Classic Pipeline Mode


In IIS Manager, configure the TempPool application pool to use the classic pipeline.

Task 6: Remove TempPool


In IIS Manager, remove the application pool TempPool.

Task 7: Configure Health and Recycling settings for WoodgrovePool


In IIS Manager, configure the WoodgrovePool application pool to recycle after every 1000 requests, to log the number of requests, and set the Rapid Fail Failure Interval to 10 minutes.
Results: After this exercise, you should have successfully configured and verified the configuration of the application pools.

2-36

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. 2. 3. 4. What is the benefit of the unified request pipeline? What are application pools? How do you remove an application pool? If an application pool is stopped, what response will clients receive?

Configuring IIS 7.0 Application Settings

3-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 3
Configuring IIS 7.0 Application Settings
Contents:
Lesson 1: Configuring Application Settings Lesson 2: Configuring ASP.NET Security Lab: Configuring IIS 7.0 Application Settings 3-3 3-16 3-21

3-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

Because of the runtime integration, IIS and ASP.NET can use the same configuration for enabling and ordering server modules, and configuring handler mappings. Other unified functionality includes tracing, custom errors, and output caching. In this module, you will learn the how to configure application settings. You will also learn how to deploy and secure multiple applications on a single Web server.

Configuring IIS 7.0 Application Settings

3-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:

Configuring Application Settings

Before configuring application settings, it is important to review how application requests are processed in the new pipeline model and the implications to authentication. In this module, you will learn about custom error messages and deploying applications. You will also learn about application development settings.

3-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Review of the ASP.NET Platform

Key Points
A request arriving for any content type is processed by IIS, with both native IIS modules and ASP.NET modules being able to provide request processing in all stages. The ability to plug in directly into the server pipeline allows ASP.NET modules to replace, run before, or run after any IIS functionality. Question: What is an example of an ASP.NET application? Explain how the content returned to the browser varies.

Configuring IIS 7.0 Application Settings

3-5

MCT USE ONLY. STUDENT USE PROHIBITED

Installing the ASP.NET Role Service

Key Points
If you use the Add Roles Wizard to install IIS 7.0, you get the default installation, which has a minimum set of role services. If you need additional IIS 7.0 role services, such as Application Development or Health and Diagnostics, make sure to select the check boxes associated with those features in the Select Role Services page of the wizard. Question: Why isn't ASP.NET installed by default?

3-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Error Messages

Key Points
Custom error messages let you provide a friendly or a more informative response by serving a file, executing a resource, or redirecting to a URL, when visitors to your site cannot access the content they requested. By default, IIS serves error messages that are defined in files stored in the systemroot\Help\IisHelp\Common folder. You can create a custom error message for users and configure IIS to return this page whenever it encounters a specific HTTP error on your site.

Question: What are the scenarios in your organization that you might use custom errors for an application?

Configuring IIS 7.0 Application Settings

3-7

MCT USE ONLY. STUDENT USE PROHIBITED

When to Use Stage and Deploy

Key Points
In previous versions of IIS, moving a Web site from one server to another meant that you had to explicitly configure IIS application settings in the machine-level metabase repository before the application could function properly. With IIS 7.0, however, the process of deploying a Web site is now much easier. Question: Name three scenarios in your organization that you might use stage and deploy to deploy an application.

3-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring ASP.NET Compilation and Globalization Settings

Key Points
IIS lets you configure the following .NET compilation settings: Batch settings, such as the maximum file size that you can batch and the maximum number of pages that you can have per batched compilation. Behavior settings, such as the number of times resources are dynamically compiled before the application is restarted. General settings, such as the default programming language that is used in dynamic compilation files.

Configuring IIS 7.0 Application Settings

3-9

MCT USE ONLY. STUDENT USE PROHIBITED

IIS lets you configure the following globalization settings: Culture settings, such as the UI culture. Encoding settings, such as encoding for response headers.

Question: What is the difference between culture settings and language settings? Give an example of both.

3-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring ASP.NET Session State and Pages and Controls

Key Points
Session State: When clients visit a site, they generally navigate from one page to another and frequently change some of the pages they visit. If you want to track where they go and what they change, you must configure session state. Session state can be saved in process or on a server.

Configuring IIS 7.0 Application Settings

3-11

MCT USE ONLY. STUDENT USE PROHIBITED

Pages and Controls: IIS 7.0 lets you configure the following ASP.NET page and user controls settings: Behavior settings: for example, whether the Web page maintains its view state and the view state of any server controls it contains when the current page request ends. General settings: for example, namespaces that are included for all pages. Compilation settings: for example, whether pages are compiled or interpreted. Services: for example, whether session state is enabled.

Question: How might a shopping cart application use state information?

3-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring ASP.NET Connection Strings and Providers

Key Points
A connection string provides the information that an application or provider must have to communicate with a particular database. A connection string usually supplies the server or location of the database server, the particular database to use, and the authentication information. If you use a connection string, this enables you to connect to databases from managed code applications in a centralized manner.

Configuring IIS 7.0 Application Settings

3-13

MCT USE ONLY. STUDENT USE PROHIBITED

ASP.NET 2.0 includes several services that store state in a database or other data store. A provider is a software module that implements a uniform interface between one of these services and a data source. In IIS 7.0, you can set the default provider for your application. You can also configure the provider properties. For example, Users is a provider-based feature where one provider stores the user data in Microsoft SQL Server whereas another provider stores the user data in a text file. Question: How do you use database servers in your current Web application deployments?

3-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring ASP.NET Application Settings and Machine Key

Key Points
Configure application settings when you want to store key/value pairs as part of your configuration in the Web.config file. Application settings provide a quick and easy to access area to store configuration data for your application.

Configuring IIS 7.0 Application Settings

3-15

MCT USE ONLY. STUDENT USE PROHIBITED

Machine keys help protect Forms authentication cookie data and page-level view state data. They also verify out-of-process session state identification. ASP.NET uses the following types of machine keys: A validation key computes a Message Authentication Code (MAC) to confirm the integrity of the data. This key is appended to either the Forms authentication cookie or the view state for a specific page. A decryption key is used to encrypt and decrypt Forms authentication tickets and view state.

Question: What are some examples of Web application settings and how are they used by the application?

3-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:

Configuring ASP.NET Security

In this lesson, you will learn about securing content and your Web server through File and Folder security. You will also learn about configuring advanced security to reduce the attack surface of your application, adding ISAPI filters in Classic mode, and configuring .NET trust levels.

Configuring IIS 7.0 Application Settings

3-17

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring File and Folder Security

Key Points
A virtual directory is a directory name, used in an address, which corresponds to a physical directory on the server. You can add a virtual directory to include directory content in a Web site or Web application without needing to move the content physically into that Web site or Web application directory. When an application uses content from a virtual directory, whether local or on a remote file share, you must configure that directory's security to allow the application pool identity read and/or write access. In addition, any other resources that your application needs to access or modify must be configured to allow the appropriate permissions. Question: What is an ACL?

3-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Advanced Security to Reduce Attack Area

Key Points
You can improve server security by reducing the number of attack points. This means only installing what you need and disabling any unnecessary functionality. Question: When would you configure authentication to apply to multiple content types?

Configuring IIS 7.0 Application Settings

3-19

MCT USE ONLY. STUDENT USE PROHIBITED

Adding ISAPI Filters

Key Points
Internet Server Application Programming Interface (ISAPI) filters are programs that you can add to IIS to enhance Web server behavior. ISAPI filters receive every HTTP request made to the Web server to provide additional functionality for the server, such as logging request information, authenticating and authorizing users, rewriting URLs, and compressing Web content to reduce bandwidth cost. In IIS 7.0, modules replace ISAPI filters, but you can still add ISAPI filters if you require the functionality that they provide. You can add an ISAPI filters at the server level and the site level. If you add the ISAPI filter at the server level, the filter will intercept all requests made to the server. If you add the ISAPI filter to a specific site, the filter will intercept all requests made to that site.

Question: How are you using ISAPI filters in your organizations applications today?

3-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring .NET Trust Levels

Key Points
An application's trust level determines the permissions that are granted by the ASP.NET code access security (CAS) policy. CAS defines two trust categories: full trust and partial trust. An application that has full trust permissions can access all resource types on a server and perform privileged operations. Applications with full trust are affected only by the security settings of the operating system. Question: When might you change the .NET trust level of an application?

Configuring IIS 7.0 Application Settings

3-21

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring IIS 7.0 Application Settings

Exercise 1: Configuring ASP.NET


Scenario
You receive a service request from the Enterprise Design Team to deploy an application server. You need to add and configure the ASP.NET role service, and Application Server role, on the Web Server. The server will be available from the Internet and Sales Associates will need to log in with the user name sales and password support from their clients sites to get contact information for support. This requires a medium level of security. If there is an error, the error message returned to the client browser should direct the user to contact their district sales manager for login information.

Exercise Overview
In this exercise, you will learn how to add the ASP.NET role service and configure ASP.NET. You will choose and configure the appropriate authentication model, and set up custom error pages to handle HTTP errors.

3-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

This exercises main tasks are: 1. 2. 3. 4. 5. 6. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add ASP.NET and Basic Security features to the IIS Role. Create the SalesSupport application and copy the ASP.NET application files. Configure Basic Security to allow access to authenticated Woodgrovebank domain users. Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors.

Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as LocalAdmin


Start 6427A-NYC-DC1, and log on as LocalAdmin with the password of Pa$$w0rd.

Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator


Start 6427A-NYC-WEB-A, and log on as Administrator with the password of Pa$$w0rd.

Task 3: Add ASP.NET and Basic Security features to the IIS Role
On NYC-WEB-A, use Server Manager to add the ASP.NET and Basic Authentication role services.

Task 4: Create the SalesSupport application and copy the ASP.NET application files
1. 2. On NYC-WEB-A, use IIS Manager to add the SalesSupport application with a physical path of c:\inetpub\wwwroot\SalesSupport. Copy the application files from E:\Mod03\Labfiles\SalesSupport to c:\inetpub\wwwroot\SalesSupport.

Configuring IIS 7.0 Application Settings

3-23

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Configure Basic Security to allow access to authenticated Woodgrovebank domain users
1. 2. 3. On NYC-WEB-A, use IIS Manager to disable Anonymous Authentication and enable Basic Authentication for the domain and realm woodgrovebank. Browse to http://localhost/salessupport. Notice that you are prompted for credentials. Enter user name yvonne with password Pa$$w0rd. Close and reopen the browser, and then browse again to http://localhost/salessupport. Try logging in with credentials that do not have a domain account, such as user name Bob with no password. Close the browser before continuing to the next task.

4.

Task 6: Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors
1. 2. Copy the contents of E:\Mod03\Labfiles\WBErrors to c:\inetpub\custerr \en-US. In IIS Manager, edit the custom error for error 401 so that it redirects to 401.aspx. Edit the custom error code for error 404 so that it redirects to Other_Erros.aspx. Note that you would repeat this for the rest of the error codes if you were doing this in a real world situation. Open Internet Explorer and browse again to http://localhost/salessupport. Try logging in with credentials that do not have a domain account, such as user name Bob with no password. If prompted, assign the site to the allowed list, and then note the custom 404 error.
Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, configured Basic authentication, and verified custom error pages in Internet Explorer.

3.

4.

3-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring ASP.NET Application Development Settings


Scenario
Next you will configure some test settings for the SalesSupport application. The Enterprise Design team is planning on implementing a database to store the support resource data. You will need to enter the provided connection string. You will also rename the cookie that the page uses to SalesSupport. Next you will create a custom control for testing the new configuration. Finally, you will set some application settings and then verify that the application can read them by loading the custom test page.

Exercise Overview
In this exercise, you will learn how to configure ASP.NET application development settings. This exercises main tasks are: 1. 2. 3. 4. Configure ASP.NET Connection Strings to connect to Resources.MDF. Configure ASP.NET Session State settings to rename the cookie to SalesSupport. Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0. Add application settings at Site and Application levels.

Task 1: Configure ASP.NET Connection Strings to connect to Resources.MDF


On NYC-WEB-A, in IIS Manager, modify the Connection Strings for the SalesSupport application to use the following connection string as LocalResources:
data source=.\SQLEXPRESS;AttachDbFileName=e:\mod03\labfiles\resources.mdf ;IntegratedSecurity=True

Configuring IIS 7.0 Application Settings

3-25

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Configure ASP.NET Session State settings to rename the cookie to SalesSupport
Rename the Session State cookie name to SalesSupport_SessionID.

Task 3: Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0


In IIS Manager, register a new custom control with the tag preface of Woodgrovebank. Set the Namespace to TestControls and the Assembly to Version=1.0.0.0.

Task 4: Add application settings at site and application levels


1. Open Internet Explorer and browse to http://localhost/salessupport /test.aspx. Enter username yvonne and password Pa$$w0rd. Notice that the test application reports that no application settings are defined. In IIS Manager, add an Application setting named DefaultLocation with the value "New York" to the Default Web Site. In Internet Explorer, refresh the page and compare the results. In IIS Manager, note the inheritance setting for the Application Settings, Add another Application setting named debug_mode with value "true". In Internet Explorer, refresh the page and compare results. Close Internet Explorer before continuing.
Results: After this exercise, you should have configured ASP.NET development settings and verified test page functionality.

2. 3. 4. 5.

3-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools
Scenario
You will now deploy the SalesSupport application to two new instances. Once instance will be a test deployment with additional testing configuration. Another instance will be for the German division of Woodgrove and will need to be set for German globalization settings. Additionally, you will disable the debug mode for the production version of SalesSupport.

Exercise Overview
In this exercise, you will learn how to create an application pool. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. 8. Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test. Create the applications SalesSupport_De and SalesSupport_Test. Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories. Assign the applications to the appropriate application pools. Configure application pool recycling for unlimited requests. Configure the SalesSupport_Test application pool to record recycled events. Configure the SalesSupport .NET compilation debug setting to False. Configure the SalesSupport_De application globalization settings for Germany.

Task 1: Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test
On NYC-WEB-A, in IIS Manager, add three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test.

Configuring IIS 7.0 Application Settings

3-27

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Create the applications SalesSupport_De and SalesSupport_Test


1. 2. In IIS Manager, create an application named SalesSupport_De with a physical path of c:\inetpub\wwwroot\SalesSupport_De. Create an application named SalesSupport_Test with a physical path of c:\inetpub\wwwroot\SalesSupport_Test.

Task 3: Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories
At the command prompt, change to the c:\inetpub\wwwroot directory and then use XCopy to copy the files and directory structure from SalesSupport to SalesSupport_De and SalesSupport_Test.

Task 4: Assign the applications to the appropriate application pools


1. 2. In IIS Manager, modify the SalesSupport, SalesSupport_De and SalesSuppot_Test to use their correspondingly named application pools. Disable anonymous authentication and enable basic authentication with the domain and realm of woodgrovebank for both SalesSupport_De and SalesSupport_Test applications.

Task 5: Configure production application pool recycling for unlimited requests


In IIS Manager, modify the SalesSupport and SalesSupport_De application pool recycling so that they do not recycle on regular intervals.

Task 6: Configure the SalesSupport_Test application pool to record recycled events


In IIS Manager, modify the SalesSupport_Test application pool recycling to recycle every 1024 requests, and modify the Recycling Events to Log to log number of requests, On-Demand, and Configuration Changes.

3-28

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 7: Configure the SalesSupport .NET compilation debug setting to False


In IIS Manager, modify the SalesSupport .NET Compilation behavior settings so that Debug is False.

Task 8: Configure the SalesSupport_De application globalization settings for Germany


1. 2. In IIS Manager, modify the SalesSupport_De .NET Globalization settings so that culture and UI Culture are set to German (Germany) (de-DE). Start Internet Explorer and browse to http://localhost/salessupport and enter user name yvonne and password Pa$$w0rd. On a second and third tab, browse to http://localhost/salessupport_de and http://localhost /salesupport_test with yvonne's credentials so that all three applications are loaded in the browser. Open Task Manager and note the instances of w3wp.exe. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx and notice the date format in the page. Close Internet Explorer before continuing.
Results: After this exercise, you should have successfully deployed multiple applications with separate application pools, configured recycling and debug settings, and configured and verified .Net globalization settings.

3. 4. 5.

Configuring IIS 7.0 Application Settings

3-29

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Configuring ASP.NET Security


Scenario
Next, you will configure the machine key, .NET trust level, and File and Folder security.

Exercise Overview
In this exercise, you will configure ASP.NET security settings. This exercises main tasks are: 1. 2. 3. 4. 5. Set the machine key of SalesSupport_de. Configure the SalesSupport_Test site for medium trust level. Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page on SalesSupport. Enable Tracing and Logging for the SalesSupport_Test site. Configure Request Filtering so that only ASPX requests are processed.

Task 1: Set the machine key of SalesSupport_de


On NYC-WEB-A, in IIS Manager, generate a new Machine Key for SalesSupport_De.

Task 2: Configure the SalesSupport_Test site for medium trust level


In IIS Manager, set the .NET Trust Level to Medium for the application SalesSupport_Test.

3-30

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page in SalesSupport
1. 2. 3. In IIS Manager, modify the permissions of SalesSupport\test.aspx so that permissions are not inherited and only ITAdmins_WoodgroveGG is allowed. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and try to use the credentials of yvonne as user name and password Pa$$w0rd. Refresh the page and log in with a user account that is a member of ITAdmins_WoodgroveGG, such as user name Betsy and password Pa$$w0rd. Close Internet Explorer before continuing.

4.

Task 4: Enable Tracing and Logging for the SalesSupport_Test site


1. 2. In IIS Manager, add all of the role services for Health and Diagnostics to the Web Server role. In Notepad, open c:\inetpub\wwwroot\SalesSupport_Test\test.aspx. a. Modify the first line to read:
<@ Page Language="C#" trace="true" %>

b.

Modify the fifth line to read:


Response.Write("This message should appear");

c. 3.

Save the file and close Notepad.

In Internet Explorer, browse to http://localhost/salessupport_test /test.aspx and use credentials of user name Betsy and password Pa$$w0rd if prompted. Examine the page for trace messages and information. Close Internet Explorer. In IIS Manager, enable Web Site Failed Request Tracing for the Default Web Site, and then add a Failed Request Tracing Rule to trace ASP.NET for Status code 200 with verbose results.

4. 5.

Configuring IIS 7.0 Application Settings

3-31

MCT USE ONLY. STUDENT USE PROHIBITED

6.

Open Internet Explorer, and browse to http://localhost/salessupport_test /test.aspx and use credentials of user name Betsy and password Pa$$w0rd if prompted. In Internet Explorer, open the most recent fr######.xml file from c:\inetpub\logs\failedreqlogfiles\w3svc. Examine the Errors and Warning section.

7.

Task 5: Configure Request Filtering so that only ASPX requests are processed
1. In Internet Explorer, browse to http://localhost/welcome.png, and then browse to http://localhost/iisstart.htm. Notice that this page contains the graphic. Close Internet Explorer. In Notepad, open c:\inetpub\wwwroot\web.config. After the sixth line, add the following security section:
<security> <requestFiltering> <fileExtensions allowUnlisted="false" > <add fileExtension=".aspx" allowed="true"/> </fileExtensions> </requestFiltering> </security>

2. 3.

4. 5. 6. 7.

Save the file and close Notepad.

Open Internet Explorer, and browse to http://localhost/welcome.png. Notice the error. Browse to http://localhost/iisstart.htm. Notice the error. At the command prompt, change to the c:\inetpub\wwwroot directory and then copy iisstart.htm to iisstart,aspx. In Internet Explorer, browse to http://localhost/iisstart.aspx. Notice that the page loads without error, but the graphic does not display.
Results: After this exercise, you should have successfully configured and verified the configuration of the advanced security settings for ASP.NET.

3-32

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lab Review

Configuring IIS 7.0 Application Settings

3-33

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. 2. 3. How can you improve the user experience when a problem is encountered? What are application settings and how are they used? If an application is completely self-contained and does not need to access external information, what is the best setting for its .NET trust level?

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring IIS 7.0 Modules

4-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 4
Configuring IIS 7.0 Modules
Contents:
Lesson 1: An Overview of IIS 7.0 Modules Lesson 2: Reviewing Native Module Functionality Lesson 3: Configuring Native Modules Lesson 4: Configuring Managed Modules Lab: Configuring and Editing Modules 4-3 4-8 4-13 4-21 4-27

4-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

IIS 7.0's Web-server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Modules are added to the server in order to provide the desired functionality for your applications. Likewise, all IIS modules can be removed, or replaced with custom modules developed using the new IIS 7.0 C++ APIs, or the familiar ASP.NET 2.0 APIs.

Configuring IIS 7.0 Modules

4-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1

An Overview of IIS 7.0 Modules

IIS 7.0 provides significant enhancements over IIS 6.0 in many areas, particularly in regards to customization and modularity. The modular nature of IIS 7.0 offers many administrative advantages, including increased security, expandability, and customization.

4-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing IIS 6.0 Request Processing

Key Points
IIS 6.0 features a monolithic implementation which forces the administrator to install all or nothing. IIS 6.0 extends server functionality only through Internet Server Application Program Interface (ISAPI), which restricts expandability.

Question: Have you encountered any limitations with IIS 6.0 where you expect improvement by deploying IIS 7.0?

Configuring IIS 7.0 Modules

4-5

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing IIS 7.0 Request Processing

Key Points
The server functionality is split into about many modules. The request-processing architecture consists of a list of modules that perform specific tasks in response to requests. You can manage all of the modules in one location, instead of managing some features within IIS and some in the ASP.NET configuration.

Question: Which modules do you think pose the greatest security risk and you would most likely not deploy in your organization.

4-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Comparing IIS 7.0 Modules with ISAPI Filters

Key Points
ISAPI filters are programs that you can add to IIS to enhance Web server behavior. In IIS 7.0, modules replace ISAPI filters, but you can still add ISAPI filters if you require the functionality that they provide.

Configuring IIS 7.0 Modules

4-7

MCT USE ONLY. STUDENT USE PROHIBITED

Comparing Handlers with Modules

Key Points
In IIS 7.0, handlers process requests made to sites and applications. Handlers map to resources on the Web server and generate responses for requests. Modules process parts of a request to provide a desired service, such as authentication or compression. Typically, modules do not generate responses to clients; instead, handlers perform this action because they are better suited for processing specific requests for specific resources.

4-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2

Reviewing Native Module Functionality

Native modules are components that are built into IIS 7.0 and can be deployed, configured, and managed to suit the needs of the individual Web site and server.

Configuring IIS 7.0 Modules

4-9

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Native Modules Registered by Default

Key Points
A minimal number of modules are registered by default for a base configuration of IIS 7.0. These modules perform basic functions like managing anonymous authentication, serving static files, and managing basic logging.

Question: Can you describe any scenarios where you would want to de-register any of these basic modules?

4-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Native Modules Not Registered by Default

Key Points
These modules primarily manage caching and so should be deployed to improve server performance in situations where they would match the types of content being served. Question: Which of these modules would be useful for Web sites that you've deployed?

Configuring IIS 7.0 Modules

4-11

MCT USE ONLY. STUDENT USE PROHIBITED

Understanding Information in applicationHost.config

Key Points
ApplicationHost.config is the root file of the IIS 7.0 configuration system. This is the main configuration file for IIS. It includes definitions of all sites, applications, virtual directories and application pools, as well as global defaults for the web server settings. This file has two main groups of settings: system.applicationHost: Contains all the settings for the activation service, application pools, the logging settings, the listeners, and the sites. These settings are centralized and can only be defined within applicationHost.config. system.webServer: Contains all the settings for the Web server, such as the list of modules and ISAPI filters, ASP, CGI and others. These settings can be set in applicationHost.config as well as any web.config.

4-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

In applicationHost.config my Sites section looks as follows:


<sites> <site name="Default Web Site" id="1"> <application path="/" applicationPool="DefaultAppPool"> <virtualDirectory path="/" physicalPath="c:\inetpub\wwwroot" /> </application> <bindings> <binding protocol="HTTP" bindingInformation="*:80:" /> </bindings> </site> </sites>

<sites> Section that lists all registered Web sites. <site> Individual Web site definition. <application> Associated applications and settings for Web site. <virtualDirectory> Virtual Directory for Web site. <bindings> Site bindings and port information.

Configuring IIS 7.0 Modules

4-13

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3

Configuring Native Modules

It is easy to manage the native modules in IIS 7.0. They can be managed by manually editing the IIS 7.0 configuration store, by using the IIS Manager, or by using the AppCmd.exe command line tool.

4-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Registering a Native Module

Key Points
In order to install a native module, it needs to be registered with the server. It can be registered by manually editing the applicationHost.config file, by using the IIS Manager, or by using the AppCmd.exe command line tool. Editing the applicationHost.config file offers you greater control over how to register native modules.

Configuring IIS 7.0 Modules

4-15

MCT USE ONLY. STUDENT USE PROHIBITED

Editing Registration for a Native Module

Key Points
After you register a native module from this dialog box, you must also add it to the Modules list on the Web server before the module can process requests. In the Edit Native Module Registration dialog box, you can enter the descriptive module name and the full path and file name of the associated .dll file.

4-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Native Modules with IIS Manager

Key Points
Use the Modules feature page to manage the native modules and managed modules. The Modules feature page lists all the modules currently installed on the server. The information displayed includes name, code, module type, and entry type.

Configuring IIS 7.0 Modules

4-17

MCT USE ONLY. STUDENT USE PROHIBITED

Using the IIS Manager to Enable a Native Module

Key Points
After you register a native module, that module will be loaded and available in every application pool on the server, but you must also enable it by adding it to the list on the Modules feature page. Only server administrators can add native modules to the Web server. Native modules can be added only at the server level in IIS 7.0.

4-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing the Native Modules Dialog Boxes

Key Points
Use the Add Module Mapping and Edit Module Mapping dialog boxes to add new or edit existing module mappings on the Web server. You can map a specific file or file name extension to a native module on the Web server, so that when a user requests the file or a file that has the specified extension, the module will process the request.

Configuring IIS 7.0 Modules

4-19

MCT USE ONLY. STUDENT USE PROHIBITED

Removing a Native Module

Key Points
You can un-install a native module if that module is no longer in use on the server, or if you would like to replace it with another module. You can un-install a native module by removing the corresponding module entry from the <globalModules> configuration list, and the associated entry in the <modules> configuration list. You can un-install a native module by manually editing the applicationHost.config file, using the IIS Manager, or using the AppCmd.exe command line tool.

4-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Removing a Native Module by Editing the Config File

Key Points
When you remove a native module from site or an application, you are removing the associated native module from a specific application on the server, but you are not removing the registration of the native module from the Web server. Typically this is a more reliable method. Using the GUI Server Management Console to remove modules can be imprecise at times. Sometimes the Server Management Console may not remove all the necessary entries from the applicationHost.config file. Directly editing applicationHost.config offers you greater control over how to disable native modules.

Configuring IIS 7.0 Modules

4-21

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 4

Configuring Managed Modules

A managed module does not require installation, and can be enabled directly for each application.

4-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Using and Installing Managed Modules

Key Points
A managed module does not require installation, and can be enabled directly for each application. Enabling a module allows it to provide its service for a particular application. In order to enable a native module, it must first be installed on the server. Managed module types include built-in managed modules and user-created C# programs.

Question: What scenarios in your organization would you find it useful to develop modules in C#?

Configuring IIS 7.0 Modules

4-23

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring a Managed Module

Key Points
IIS 7.0 includes several managed modules that process parts of requests, such as authentication and caching. You can edit existing managed modules, or add new modules to extend the functionality of the Web server.

4-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Editing a Managed Module Using the IIS Manager

Key Points
You can use the IIS Manager to change the settings for a managed module.

Configuring IIS 7.0 Modules

4-25

MCT USE ONLY. STUDENT USE PROHIBITED

Editing a Managed Module Using the Command Line

Key Points
To edit a managed module at the server level, use the following syntax: appcmd set module /name:string /type:string /preCondition:string The variable name:string is the name of the managed module that you want to edit at the server level. The variable type:string is managed type for the module. Optionally, specify a condition or conditions under which the module will run by including the variable preCondition:string.

4-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Removing a Managed Module Using the IIS Manager

Key Points
You can remove a managed module from a site or application if the site or application does not require the module for processing. Removing a managed module means that the module is removed from the list of active modules; however, the code still exists on the Web server. You can add the module again if application requirements change.

Configuring IIS 7.0 Modules

4-27

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring and Editing Modules

Exercise 1: Configuring and Editing Native Modules


Scenario
You received a service request from the application development team specifying the modules that are required to install, test, and run an application on the specified Web server. To reduce the server footprint and vulnerability, you must remove the unnecessary modules.

Exercise Overview
In this exercise, students will learn how to remove native modules from a Web server to improve security and reduce the server footprint. The main tasks for this exercise are as follows: 1. 2. 3. Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator. Backup the current Web server configuration. Examine the modules currently installed on the Web server.

4-28

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7.

Remove the Default Document Module and the Directory Listing Module. Validate that the modules have been removed and test the new server configuration. Restore the modules to the Web server configuration. Validate that the modules have been restored and test the server configuration.

Task 1: Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator


Start 6427A-NYC-WEB-B, and log on as Administrator with the password of Pa$$w0rd.

Task 2: Backup the current Web server configuration


Open command prompt and use appcmd to backup the server configuration.

Task 3: Examine the modules currently installed on the Web server


Use the IIS Manager to examine the modules.

Task 4: Remove the Default Document Module and the Directory Listing Module
1. 2. 3. 4. Browse the default Web site. Use Notepad to edit the applicationHost.config. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the <globalModules> tag. Delete the references to the DefaultDocumentModule and the DirectoryListingModule from within the <handlers accessPolicy="Read, Script"> tag. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the <modules> tag.

5.

Configuring IIS 7.0 Modules

4-29

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Validate that the modules have been removed and test the new server configuration
1. 2. 3. Use IIS Manager to validate that the removed modules entries are missing. Use Internet Explorer to check the default Web site. Use Internet Explorer to retrieve the default Web page. Default Web pageURL: http://localhost/default.aspx

Task 6: Restore the modules to the Web server configuration


Open command prompt and use appcmd to restore the server configuration.

Task 7: Validate that the modules have been restored and test the server configuration
Open command prompt and use appcmd to backup the server configuration.
Results: After this exercise, you should have successfully removed native modules from a Web server, and then confirmed that the server operates as expected

4-30

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring and Editing Managed Modules


Scenario
To increase throughput, it has been determined that output caching would be beneficial on some of the applications on the Web server. You need to make sure that the Output Cache module is installed and configured as specified in the service request. The development team also requested the installation of a new Managed Module that provides an additional level of logging for their application.

Exercise Overview
In this exercise, students will learn how to add new managed modules to a Web server. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Install the logging managed module. Confirm the installation of the logging managed module. Test the Web sites forms authentication page. Examine the modules currently running on the Web server. Remove the forms authentication managed module. Test the new configuration.

Task 1: Install the logging managed module


1. Create a new folder: 2. C:\inetpub\ logging_module\

Copy files for logging_module Web site. Source: E:\Mod04\Labfiles\logging_module Destination: C:\inetpub\ logging_module\

Configuring IIS 7.0 Modules

4-31

MCT USE ONLY. STUDENT USE PROHIBITED

3. 4.

Change the security for C:\inetpub\logging_module\logs to allow Users (NYC-WEB-B\Users). Use IIS Manager to add a new Web site: Site name: logging_module Physical path: C:\inetpub\logging_module Port: 8181

Task 2: Confirm the installation of the logging managed module


1. 2. 3. 4. Use Internet Explorer to view the logging_module Web site. Load the Web site's second page. Use IIS Manager to examine the modules for the logging_module Web site. Examine the logs created by the logging_module Web site. Location: C:\inetpub\logging_module\logs

Task 3: Test the Web sites forms authentication page


Use Internet Explorer to log into the default Web site and retrieve a confidential memo. Destination: Shared Documents Email: lmartin@woodgrovebank.com Password: Pa$$w0rd Memo: Woodgrove Confidential Memo

Task 4: Examine the modules currently running on the Web server


Use IIS Manager to examine the OutputCache module.

4-32

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Remove the forms authentication managed module


Use IIS Manager to remove the FormsAuthentication module.

Task 6: Test the new configuration


Attempt to view the Shared Documents folder again using Internet Explorer.
Results: After this exercise, you should have successfully added a managed module to the Web server.

Configuring IIS 7.0 Modules

4-33

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. 2. 3. 4. 5. What typically generates the response to the client; native modules, managed modules, ISAPI filters, or handlers? Do both, native modules and managed modules need to be added to the <globalModules> configuration section of the applicationHost.config? Native module files have what type of file extension? When would you use the precondition variable? You need a new managed module build by the development team. What programming language would you recommend that they use for creating the module?

4-34

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Common Issues related to a particular technology area in the module


Identify the causes for the following common issues related to a particular technology area in the module and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue If you do not see the module on the Modules page, it has not been enabled. Troubleshooting tip To enable the module, you must open the Configure Native Modules dialog box, select the check box of the module, and then click OK.

Real-world Issues and Scenarios


1. Trey Research wants to deploy a new Web site but they want to make it exclusively for the use of its remote researchers. What security measures would you put in place? Would you remove any of the native modules that are installed by default? How would you remove the modules? Deploy security and authentication on the Web server. Remove the anonymous authentication module by editing the applicationHost.config.

2.

Best Practices related to a particular technology area in this module


Supplement or modify the following best practices for your own work situations: Directly editing applicationHost.config offers greater control and is preferred over using the IIS Manager tool. Typically this is a more reliable method, and offers you more flexibility over how to manage and configure native modules. Make sure you are set up with Administrator credentials before you attempt to uninstall a native module by removing the entries from the <globalModules> and <modules> sections. Because the <globalModules> configuration section is only settable at the server level, you must be an administrator to uninstall a module.

Configuring IIS 7.0 Modules

4-35

MCT USE ONLY. STUDENT USE PROHIBITED

Tools
Tool IIS Manager Microsoft Visual C# Express Notepad Use for Configuring modules Editing code for managed modules Editing applicationHost.config Where to find it Administrative tools Free download

Accessories

MCT USE ONLY. STUDENT USE PROHIBITED

Securing the IIS 7.0 Web Server and Web Sites

5-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 5
Securing the IIS 7.0 Web Server and Web Sites
Contents:
Lesson 1: Configuring Secure Web Sites and Servers Lesson 2: Configuring Other Aspects of Web Server Security Lesson 3: Configuring Logging for IIS 7.0 Lab: Securing the IIS 7.0 Web Server and Web Sites 5-3 5-17 5-26 5-35

5-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

Web servers are often placed in a very precarious position. They are typically public-facing servers, but they also need to maintain very tight security in order to maintain the integrity of the server and to maintain confidence among their users. Microsoft IIS 7.0 provides many tools and techniques for maintaining a highly secure Web server environment.

Securing the IIS 7.0 Web Server and Web Sites

5-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1

Configuring Secure Web Sites and Servers

There are many tools and techniques available for securing Web sites and servers. These include techniques such as restricting certain IP addresses, setting up authorization rules, and managing authentication. By using these and other techniques, you can make sure your Web server more secure.

5-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Managing IIS 7.0 Security

Key Points
There are many features and tools built in to IIS 7.0 that allow customizing of Web site and server security. These tools help secure and restrict unauthorized access to the Web sites and server.

Securing the IIS 7.0 Web Server and Web Sites

5-5

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Features That Can Be Used to Secure IIS

Key Points
There are many features that can be used to secure an IIS 7.0 server. Some of them are designed as part of the IIS 7.0 system and installation process, while others need to be manually configured and monitored by the administrator. These features should be manually configured to ensure high security: Employ minimal install: IIS7 features a completely modular Web server where only the bare minimum number of components are installed. Manage IP and domain restrictions: Administrators can use address and domain restrictions to define and manage rules that allow or deny access for a specific IP address. Deploy restrictive authentication: Authentication helps you confirm the identity of users requesting access to your Web sites.

5-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Deploy HTTP request filtering: Allows you to monitor all incoming URLs and suppress certain strings before they were processed. Restrict directory browsing: When the default document and directory browsing are disabled, client browsers receive a 403Forbidden error.

Question: Which of these techniques do you think will be most effective at securing a Web server in your organization?

Securing the IIS 7.0 Web Server and Web Sites

5-7

MCT USE ONLY. STUDENT USE PROHIBITED

Managing IP and Domain Restrictions

Key Points
IP address and domain restrictions can restrict or grant access to Web site content based on IP addresses or domain names of the client computer that connect to it. IP address and domain restrictions can restrict or grant access to specific users or organizations that Web site administrators deem harmful or unwanted.

Question: In what scenarios might IP address-based restrictions be useful to your organization?

5-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Authorization Rules

Key Points
Authorization allows users to access Web server content, and you can authorize content based on NTFS permissions, publishing point permissions, and the client's IP address. Question: Authorization rules may be more complex to deploy and manage. In what scenarios are authorization rules required?

Securing the IIS 7.0 Web Server and Web Sites

5-9

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Authorization Rules

Key Points
Authorization rules can be defined for specific verbs, specific roles, specific users, and/or specific groups.

5-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

You do not have to use the User Interface to specify URL Authorization settings. You can specify URL Authorization rules directly in your web.config file.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <authorization> <remove users="*" roles="" verbs="" /> <add accessType="Allow" roles="BobAndFriends" /> </authorization> </security> </system.webServer> <location path="bobsSecret.aspx"> <system.webServer> <security> <authorization> <remove users="" roles="BobAndFriends" verbs="" /> <add accessType="Allow" users="Bob" /> </authorization> </security> </system.webServer> </location> </configuration>

Securing the IIS 7.0 Web Server and Web Sites

5-11

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Authentication

Key Points
Integrated Windows authentication requires a client to respond correctly to a server-initiated challenge. Forms authentication, relies on redirection to a login page to determine the identity of the user. Digest authentication uses a Windows domain controller to authenticate users who request access to content on your Web server. Digest authentication offers the same features as Basic authentication but involves a different way of transmitting the authentication credentials. The authentication credentials pass through a one-way process, often referred to as hashing. The result of this process is called a hash, or message digest, and it is not feasible to decrypt it. Digest authentication is structured to be usable across proxy servers and other firewall applications and is available to Web Distributed Authoring and Versioning (WebDAV).

5-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

IIS 7.0 may use authentication to identify users. This information can be placed in log files or you can use it in combination with authorization plug-ins to control content access. IIS 7.0 offers many different types of authentication to optimally customize the level of security and access to Web sites.

Question: Why would you want to use authentication?

Securing the IIS 7.0 Web Server and Web Sites

5-13

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Application Security

Key Points
ISAPI and CGI restrictions are request handlers that allow dynamic content to execute on a server. Allowing all unspecified extensions is a security risk, because your Web server could become susceptible to computer viruses or worms that exploit these technologies. To reduce this risk, as a best practice you should allow only those specific ISAPI extensions or CGI files that you need to run on your Web server.

Question: Do you currently support technologies like CGI or ISAP at your organization? Do you have any security measures in place to manage these applications?

5-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Rights and Permissions to Web Site Files

Key Points
Authentication helps you confirm the identity of users requesting access to your Web sites. IIS 7.0 supports both challenge-based and login redirectionbased authentication methods. A challenge-based authentication method, for example, Integrated Windows authentication, requires a client to respond correctly to a server-initiated challenge. A login redirection-based authentication method, for example, Forms authentication, relies on redirection to a login page to determine the identity of the user. You cannot use both a challenge-based authentication method and a login redirection-based authentication method at the same time.

Securing the IIS 7.0 Web Server and Web Sites

5-15

MCT USE ONLY. STUDENT USE PROHIBITED

Question: In what scenarios would a challenged-based authentication method be preferred? Question: In what scenarios would a login redirection-based authentication method be preferred?

5-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Access Using Authentication

Key Points
There are many different type of authentication available in IIS 7.0. Different type of authentication can provide different types of Web site security. Only Anonymous Authentication is enabled by default.

Question: How does the processing of authorization differ from authentication?

Securing the IIS 7.0 Web Server and Web Sites

5-17

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2

Configuring Other Aspects of Web Server Security

There are additional tools and techniques that can be managed to enhance Web server security. Certificates are a key component of creating a trusted relationship between the Web client and the Web server.

5-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Certificates

Key Points
Web server certificates protect Internet communication by establishing a trust relationship between the Web client and Web server. You can obtain certificates from a mutually trusted third-party organization called a certification authority. You can also self-generate certificates in your own organization using your Web server infrastructure. Server certificates provide a way for users to confirm the identity of your Web site before they transmit personal information, such as a credit card number.

Question: Describe some common scenarios that use certificates and SSLencrypted connections.

Securing the IIS 7.0 Web Server and Web Sites

5-19

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Certificates to Secure Web Sites

Key Points
Adding security certificates to Web sites is very easy. There are several tools and wizards available in IIS 7.0 for managing certificates. Question: Can any of your Web sites benefit from the addition of security certificates?

5-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Certificates to Secure Web Servers

Key Points
Renewing expired certificates is easy. There are several tools and wizards available in IIS 7.0 for managing certificates. Question: Do you currently use Web server certificates? Do you plan on deploying them in the future for new projects?

Securing the IIS 7.0 Web Server and Web Sites

5-21

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Request Filtering

Key Points
URLScan was a security tool that was provided as an add-on to earlier versions of IIS so administrators could enforce tighter security polices on their Web servers. There are many different filters that can be deployed when managing Request Filtering.

Question: What attacks, malware, viruses and worms can be stopped by implementing Request Filtering?

5-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Minimizing the Modules to Secure the Web Server

Key Points
IIS 7.0 features a completely modular Web server infrastructure where only the bare minimum number of components are installed and enabled by default. The modular design of IIS 7.0 allows administrators to choose exactly what they want to install. With fewer components installed, there is a much smaller surface area available to attackers and there are fewer settings to manage and maintain.

Question: What unused modules might present a security risk if not properly secured?

Securing the IIS 7.0 Web Server and Web Sites

5-23

MCT USE ONLY. STUDENT USE PROHIBITED

Using RPC over HTTPS

Key Points
RPC over HTTPS to provide an easy and secure method of connecting a Microsoft Outlook client to a Microsoft Exchange server. You can configure user accounts in Outlook to connect to an Exchange Server over the Internet without the need to use VPN connections. Question: Do you currently use RCP over HTTPS for Outlook/Exchange Connectivity? Do you have any other software or systems that might benefit from using RCP over HTTPS?

5-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Permitting a User or Group to Connect to a Site

Key Points
Permit a Windows user to connect to a site or an application when you want to let the user configure delegated features in that Web site or application using IIS Manager. Feature delegation allows administrators to offer the rights to configure subsections of a Web site to a non-administrator. You can either permit a specific Windows user, or specify a Windows group so that users of that group can connect to the site or application.

Securing the IIS 7.0 Web Server and Web Sites

5-25

MCT USE ONLY. STUDENT USE PROHIBITED

Defining ISAPI and CGI Application Restrictions

Key Points
ISAPI and CGI restrictions are request handlers that allow dynamic content to execute on a server. These restrictions are either CGI files (.exe) or ISAPI extensions (.dll).

5-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3

Configuring Logging for IIS 7.0

Effective monitoring and auditing of Web server logs is necessary for maintaining useful and stable Web sites. The logging options in IIS 7.0 are highly configurable.

Securing the IIS 7.0 Web Server and Web Sites

5-27

MCT USE ONLY. STUDENT USE PROHIBITED

Logging Operations Overview

Key Points
You can collect information about user activity by enabling logging for your Web sites and servers. Logging information in IIS 7.0 goes beyond the scope of the simple event logging or performance monitoring features in Microsoft Windows. The logs can include information such as who has visited your site, what the visitor viewed, and when the information was last viewed.

Question: How have you used Web site logging in the past?

5-28

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Logging to Secure Web Sites and Servers

Key Points
Logging can help secure Web sites and servers. You can collect information about user activity by enabling logging for your Web sites. The logs can include information such as who has visited your site, what the visitor viewed, and when the information was last viewed. You can use these Web logs to assess content popularity or to identify information bottlenecks.

Question: Do you currently audit your Web logs for unauthorized and possibly harmful Web site requests?

Securing the IIS 7.0 Web Server and Web Sites

5-29

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Information Available to Log

Key Points
Logging options are very customizable in IIS 7.0. There are many fields that can be included in the Web site log files. Effective use of the Logging Options all you to build comprehensive Web logs that are manageable in size.

Question: What fields might be most useful in reviewing Web site logs?

5-30

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Logging for Web Sites and Applications

Key Points
There are many different formats, encoding, and options for Web site logging. The default logging method for IIS 7.0, the W3C Extended Log File Format is a standard defined by the World Wide Web Consortium. This logging format can divulge a large amount of information on the activity of your IIS server, and IIS lets you drill down to select which options you want to log. The IIS log file format is a fixed ASCII text-based format, so you cannot customize it. Because HTTP.sys handles the IIS log file format, this format records HTTP.sys kernel-mode cache hits. The NCSA Common log format contains only basic HTTP access information. It is a text-based, fixed format for a single site. The Common log contains the requested resource and a few other pieces of information, but does not contain referral, user agent, or cookie information. This information is contained in a single file.

Securing the IIS 7.0 Web Server and Web Sites

5-31

MCT USE ONLY. STUDENT USE PROHIBITED

W3C Extended Log File Format Text-based, customizable format for a single site. This is the default format. A log file in the extended format contains a sequence of lines containing ASCII characters. Each line may contain either a directive or an entry. Entries consist of a sequence of fields relating to a single HTTP transaction. Directives record information about the logging process itself. Lines beginning with the # character contain directives. W3C Centralized Logging All data from all Web sites is recorded in a single log file in the W3C log file format. The Custom log file format does not contain a field directive line. Therefore, you should provide the details of the field definitions. The fields should be defined in the order that the fields occur in the log record.

Question: What type of log file rollover setting might be most useful in your organization?

5-32

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Viewing IIS 7.0 Logs Using the IIS Manager

Key Points
The View Log Files option opens the log file directory. The View Log Files option may be unavailable. If it is not available, you can use Notepad or a third-party product to view the logs.

Question: What third-party applications can you use for analyzing Web site log files?

Securing the IIS 7.0 Web Server and Web Sites

5-33

MCT USE ONLY. STUDENT USE PROHIBITED

Monitoring and Auditing IIS 7.0 Logs

Key Points
You can use the logs to assess content popularity of certain Web site pages or files. You can also identify information bottlenecks. You can use security auditing techniques to track the activities of users and to detect unauthorized attempts to access your NTFS file system directories and files.

5-34

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Best Practices for Maintaining IIS Logs

Key Points
It is important to maintain good practices when managing and review your Web log files. Locate the log file on a secure, reliable drive and store log files in a directory other than systemroot. Maintain a reliable corporate policy on log file retention. Monitor and manage the maximum number of log files to keep and the maximum size of the log files. Find and secure access to obsolete files.

Question: Can you describe other good practices in managing and monitoring Web site logs?

Securing the IIS 7.0 Web Server and Web Sites

5-35

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Securing IIS 7.0 Web Server and Web Sites

Exercise 1: Configure a Secure Web Server


Scenario
Additional security measures need to be put in place to protect the Web server. These measures will protect the Web server against unauthorized access by specific IP addresses and domains. Additional ISAPI and CGI restrictions need to be put into place. Then you are given a list of accounts authorized for a specific site. You must give separate access to the IT Admin group and the developer, Herbert Dorner. The main tasks for this exercise are as follows: 1. 2. 3. 4. Start the 6427A-NYC-DC1 virtual machine and log on as Administrator. Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator. Create a self-signed server certificate for the Web server. Block IP addresses as specified in the service request.

5-36

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

5. 6. 7. 8. 9.

Examine the current ISAPI and CGI Restrictions. Install the .NET Framework 1.1. Set ISAPI and CGI restrictions to use ASP.NET version 1.1. Set the rights and permissions for Active Directory users. Test and validate the new configuration.

Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Administrator


Start 6427A-NYC-DC1.

Task 2: Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator


Start 6427A-NYC-WEB-B, and log on as Administrator with the password of Pa$$w0rd.

Task 3: Create a self-signed server certificate for the Web server


1. 2. 3. On NYC-WEB-B, open the IIS Manager. Open Server Certificates. Create a Self-Signed Certificate: Friendly name: woodgrovebank

Task 4: Block IP addresses as specified in the Service Request


1. 2. Using the IIS Manager, set IPv4 Address and Domain Restrictions. Add a deny rule entry: 3. Specific IPv4 address: 10.10.20.1

Add a deny rule entry: IPv4 address: 10.10.10.0 Mask: 255.255.255.0

Securing the IIS 7.0 Web Server and Web Sites

5-37

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Examine the current ISAPI and CGI Restrictions


Using the IIS Manager, examine the ISAPI and CGI Restrictions.

Task 6: Install the .NET Framework 1.1


1. Install the .NET Framework 1.1. 2. File location: E:\ Mod05\Labfiles Installer: dotnetfix.exe

Install the .NET Framework 1.1 Service Pack 1. File location: E:\ Mod05\Labfiles Installer: NDP1.1sp1-KB867460-X86.exe

Task 7: Set ISAPI and CGI restrictions to use ASP.NET version 1.1
1. 2. Using the IIS Manager, set the ISAPI and CGI Restrictions. Allow ASP.NET v1.1.4322.

Task 8: Set the rights and permissions for Active Directory users
Set the rights and permissions for Active Directory users. Folder: C:\inetpub\wwwroot\ Location: WoodgroveBank.com Object names to select: ITAdmins_WoodgroveGG Object names to select: Herbert Allow: Full control

5-38

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 9: Test and validate the new configuration


Validate the new configuration. Group or user names: ITAdmins_WoodgroveGG Group or user names: Herbert Dorner

Results: After this exercise, you should have successfully set IP restrictions, ISAPI and CGI restrictions, and Active Directory permissions, as specified in a service request document

Securing the IIS 7.0 Web Server and Web Sites

5-39

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configure Authorization, Authentication, and Access


Scenario
Additional security measures need to be put in place to protect the Web server. An application is protected with forms authentication, but it is discovered that some of the content can bypass forms authentication and still be accessed, such as a jpg, by entering the direct URL path and file name. You must configure the protected content to use the managed forms authentication module. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Turn off the Web site cache for the shared documents folder. Sign into the Woodgrove Bank Web site and retrieve the confidential memo. Bypass the Web site forms authentication. Modify the applicationHost.config file to handle forms authentication. Reconfigure the authorization and authentication so that the protected content uses forms authentication. Test and validate the Web sites new configuration

Task 1: Turn off the Web site cache for the shared documents folder
Using the IIS Manager, add Custom HTTP Response Header. Name: Cache-Control Value: no-cache

Task 2: Sign into the Woodgrove Bank Web site and retrieve the confidential memo
1. Use Internet Explorer to log into the default Web site and retrieve a confidential memo. 2. Destination: Shared Documents Email: lmartin@woodgrovebank.com Password: Pa$$w0rd Memo: Woodgrove Confidential Memo

Sign-out of the Web site.

5-40

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Bypass the Web site forms authentication


Use Internet Explorer to retrieve the Confidential Memo. Confidential Memo URL: http://localhost/docs/shared/Woodgrove_memo.jpg

Task 4: Modify the applicationHost.config to unlock the URL Authorization <configSections> section by changing the override mode default to allow
Unlock URL Authorization in the applicationHost.config file: File location: C:\windows\system32\inetsrv\config File name: applicationHost.config Section: <configSections> Original code:
<section name="authorization" overrideModeDefault="Allow" />

Replacement code:
<section name="authorization" type="System.WebServer.Configuration.UrlAuthorizationSection, System.ApplicationHost, Version=7.0.0.0, culture=neutral, PublicKeyToken=31bf3856ad364e35" overrideModeDefault="Allow" />

Securing the IIS 7.0 Web Server and Web Sites

5-41

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Modify the applicationHost.config <applicationPools> section to change the Classic .NET application pool to Integrated mode
Change the Classic .NET application pool to Integrated mode in the applicationHost.config file: File location: C:\windows\system32\inetsrv\config File name: applicationHost.config Section: <applicationPools> Original code:
<add name="Classic .NET AppPool" managedPipelineMode="Classic" />

Replacement code:
<add name="Classic .NET AppPool" managedPipelineMode="Integrated" />

Task 6: Modify the applicationHost.config file to disable all other authentication types except for anonymous
Disable all other authentication types except for anonymous in the applicationHost.config file: File location: C:\windows\system32\inetsrv\config File name: applicationHost.config Section: <authentication> Append enabled="false" to: clientCertificateMappingAuthentication digestAuthentication iisClientCertificateMappingAuthentication windowsAuthentication

5-42

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 7: Modify the applicationHost.config file to protect all content by removing the managedHandler precondition from the <system.webServer> section
Protect all content by removing the managedHandler precondition in the applicationHost.config file: File location: C:\windows\system32\inetsrv\config File name: applicationHost.config Section: <system.webServer> Original code:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />

Replacement code:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />

Original code:
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="managedHandler" />

Replacement code:
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />

Securing the IIS 7.0 Web Server and Web Sites

5-43

MCT USE ONLY. STUDENT USE PROHIBITED

Task 8: Reconfigure the authorization and authentication so that the protected content uses forms authentication
1. Reconfigure authorization so that the protected content uses forms authentication in the Web.Config file: File location: C:\inetpub\wwwroot File name: Web.Config Section: <authorization> Add the line <allow users=lmartin@woodgrovebank.com />, above the line <!--<deny users="?" />--> Original code:
<<!--<deny users="?" />-->

Replacement code:
<deny users="?" />

2.

Using the IIS Manager, reconfigure authentication so that the protected content uses forms authentication. Launch Authentication Disable Anonymous Authentication

5-44

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 9: Test and validate the Web sites new configuration


1. Use Internet Explorer to log into the default Web site and retrieve the confidential memo. 2. 3. Destination: Shared Documents Email: lmartin@woodgrovebank.com Password: Pa$$w0rd Memo: Woodgrove Confidential Memo

Sign-out of the Web site. Use Internet Explorer and attempt to retrieve the Confidential Memo. Confidential Memo URL: http://localhost/docs/shared/Woodgrove_memo.jpg

Results: After reconfigure the Web sites authorization and authentication, so that all content uses forms authentication and thereby protecting the confidential memo, the only way to obtain the memo is by having the correct credentials.

Securing the IIS 7.0 Web Server and Web Sites

5-45

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configure Logging


Scenario
Additional security measures need to be put in place to protect the Web server. You received a service request to keep a log of all visitors to the Web server for the past 24 hours. You must enable and configure logging and then test and verify the log. The main tasks for this exercise are as follows: 1. 2. Examine and configure logging options. Test the logging operations.

Task 1: Examine and configure logging options


Using the IIS Manager, set the logging options. Select: Use local time for file naming and rollover

Task 2: Test the logging operations


1. 2. Using Internet Explorer, refresh the Web site. View the log file: Log file location: C:\ inetpub\logs\LogFiles\W3SVC1

Results: After examining the configuration of the Web servers logging settings, the current log file was examined and proven to successfully track the Web servers activity.

5-46

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. After reviewing your Web server logs you notice some suspicious requests employing non-ASCII characters. What security feature could you employ in response to this particularly hazard? Which user is assigned access to files when you allow anonymous access? A developer wants to deploy an application, authenticating users using the new Passport system. Which Authentication method would you recommend? A developer wants to add a shopping component to a Web site. What would you do to ensure confidence and security for users to enter their credit card numbers into a Web form?

2. 3. 4.

Securing the IIS 7.0 Web Server and Web Sites

5-47

MCT USE ONLY. STUDENT USE PROHIBITED

Common Issues related to a particular technology area in the module


Identify the causes for the following common issues related to a particular technology area in the module and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Anonymous users gaining access to protected content Active Server Pages not running Troubleshooting tip Check to make sure that Anonymous Authentication is set to Disabled. Check to make sure that ASP content is activated in the ISAPI and CGI restrictions.

Real-world Issues and Scenarios


The intranet server for Humongous Insurance hosts content that is available to all employees. The Human Resources department has requested that addition content needs to be added that should be viewed only by members of the Human Resources group. What security feature could you employ in to restrict access to this content?

Best Practices Related to Securing Web Servers and Web Sites


Supplement or modify the following best practices for your own work situations: Allowing all unspecified extensions is a security risk, because your Web server could become susceptible to computer viruses or worms that exploit these technologies. To reduce this risk, you should allow only those specific ISAPI extensions or CGI files that you need to run on your Web server. The domain name restrictions rules restrict access by domain name. This rule significantly affects server performance because it requires a DNS lookup for every request. Employ minimal install to install only the bare minimum number of components. With fewer components installed, there is a much smaller surface area available to attackers and there are fewer things to manage and maintain.

5-48

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Deploy HTTP request filtering to monitor all incoming URLs and suppress certain strings before they were processed. This allows Web server administrators to do things like block certain executables, create hidden directories unreachable with HTTP, and set limits for connections, among others. Restrict directory browsing to prevent snooping of your Web server content. Locate the log file on a secure, reliable drive and should be stored in a directory other than systemroot. Monitor and manage the maximum number of log files to keep and the maximum size of the log files.

Tools
Tool IIS Manager Notepad Notepad Use for Editing security configuration Editing config files Viewing log files Where to find it Administrative Tools Accessories Accessories

Configuring Delegation and Remote Administration

6-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 6
Configuring Delegation and Remote Administration
Contents:
Lesson 1: Configuring Remote Administration Lesson 2: Configuring Delegated Administration Lesson 3: Configuring Feature Delegation Lab: Configuring Delegation and Remote Administration 6-3 6-12 6-16 6-24

6-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

This module helps students to use the delegated rights assignment system and the remote administration system in IIS 7.0. Students will assign rights to Web sites to users and configure users to serve as remote administrators of a server and its corresponding Web sites.

Configuring Delegation and Remote Administration

6-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1

Configuring Remote Administration

The IIS 7.0 remote administration service uses the HTTPS protocol to allow remote Web server administration. This lesson focuses on configuring the Remote Administration service.

6-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Delegation Overview

Key Points
IIS 7.0 delegated administration is useful in a multiple scenarios, including the following: You are a server administrator and you are not the primary person providing content on your server. You are a developer and you want your server administrator to give you more control over IIS configuration for your application.

Configuring Delegation and Remote Administration

6-5

MCT USE ONLY. STUDENT USE PROHIBITED

IIS7 feature delegation means: Managing the set of site and application users that are permitted to use IIS Manager to view configuration and set configuration for features with unlocked configuration sections.

Question: In your work environment, what scenarios would benefit from delegated administration?

6-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Remote Administration Overview

Key Points
There are two steps for configuring remote administration: Specify the users that can connect to a site or application. Configure and start the Web Management Service (WMSVC).

Configuring Delegation and Remote Administration

6-7

MCT USE ONLY. STUDENT USE PROHIBITED

Remote Administration Service Settings

Key Points
The Management Service (WMSVC) enables computer and domain administrators to remotely manage a Web server. The service also enables delegated administrators to locally and remotely manage delegated features of Web sites and Web applications on the Web.

6-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Remote Administration Connection Settings

Key Points
The Remote Administration Connection Settings are highly configurable and customizable to create a best fit for your organization. The Remote Administration Connection Settings available for configuration include: IP Address Port SSL Certificate Log Requests to

Question: What benefits and drawbacks occur when using a self-signed certificate?

Configuring Delegation and Remote Administration

6-9

MCT USE ONLY. STUDENT USE PROHIBITED

Configure Remote Administration for IIS Server

Key Points
Configuring Remote Administration for IIS includes the following steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. Install the Web Management Service (WMSVC). Enable remote connections. Optionally set other configuration. Start WMSVC, and optionally change the service Startup Type from Manual to Automatic. Configure Identity Credentials. Configuring Users and Permissions for IIS Manager. Create an IIS Manager User. Configure IIS Manager Permissions for the Site. Configure Access Control Lists for Content Directories.

10. Connect to a Site or an Application in IIS Manager.

6-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

HTTP with SSL vs. DCOM for Remote Administration

Key Points
The IIS 7.0 Remote Administration tool uses HTTP with the SSL protocol and offers the following advantages: Administrators can manage the entire Web server. Administrators have almost the same experience as local use of the IIS Manager tool. Both Administrators and non-administrators can use the tool. Windows User accounts and IIS Manager User accounts can be delegated permission.

Configuring Delegation and Remote Administration

6-11

MCT USE ONLY. STUDENT USE PROHIBITED

The server Administrator decides what non-administrators can view and change through Feature Delegation. The IIS 7.0 Remote Administration tool uses HTTPS which is a secure firewall friendly protocol which requires opening only one port on a firewall to permit inbound access to the tool.

Question: What configuration is necessary to permit HTTPS traffic through a firewall?

6-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2

Configuring Delegated Administration

IIS 7.0 distributes its configuration data among several XML files. This allows considerable flexibility in configuring individual sites or applications. The IIS 7.0 distributed configuration system also makes it possible to delegate administrative access to individual Web sites or applications. This lesson focuses on how the IIS 7.0 distributed configuration system is used to delegate Web site or application configuration.

Configuring Delegation and Remote Administration

6-13

MCT USE ONLY. STUDENT USE PROHIBITED

Distributed Configuration System Overview

Key Points
The IIS 7.0 configuration system uses the following files: A central configuration file named applicationHost.config that is located in %WINDIR%\System32\InetSrv\Config\. Several Web.config files can appear at any level of the URL hierarchy. The machine.config file defines the properties that are required for all ASP.NET Framework features. Configuration file settings inherit from parent to child file from machine.config down to the last Web.config file (if any) and the effective configuration is calculated for a given path. Any setting at a lower level in the hierarchy will override a parent setting defined in a file above the current level.

6-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Hierarchy of Configuration Files

Key Points
There are three key files that control the operation of IIS 7.0. The first file is machine.config. This file contains the .NET Framework settings for the server. In Windows Vista and Windows Server 2008, this file contains all the global settings for .NET-related components and features. The applicationHost.config file contains settings for IIS and other services that have settings in common with IIS. The next file in the hierarchy is the root Web.config file, which defines the global settings for properties defined for all ASP.NET Web applications. This file exists for each version of the .NET Framework installed on the server. There may be optional Web.config files in the Web content directories which control the behavior of that portion of the URL namespace.

Configuring Delegation and Remote Administration

6-15

MCT USE ONLY. STUDENT USE PROHIBITED

How to Delegate Administrative Rights

Key Points
The process of delegating administrative rights includes the following tasks: 1. 2. 3. Add site administrators to a site, and add application administrators to an application. Configure the delegation state of site and application features for site and application administrators to view and configure. Configure connection settings and enable remote management.

6-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3

Configuring Feature Delegation

IIS 7.0 can delegate permission in a granular fashion. By using feature delegation, server administrators can determine which features can be modified by site or application administrators. This lesson focuses on using feature delegation.

Configuring Delegation and Remote Administration

6-17

MCT USE ONLY. STUDENT USE PROHIBITED

Feature Delegation in IIS 7.0

Key Points
IIS 7.0 feature delegation has the following characteristics: The server administrator decides which features non-administrators can view and change. Features which are not delegated are not visible in the UI at site or application levels. Feature delegation works by locking or unlocking configuration sections.

6-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Feature Delegation Options

Key Points
The server administrator can configure individual features with the following states: Read/Write: When you select Read/Write for a feature, you unlock the feature's related configuration section(s) in ApplicationHost.config. Read Only: When you select Read Only for a feature, you lock the feature's related configuration section(s) in ApplicationHost.config. Remove Delegation: When you select Remove Delegation for a feature, you lock the feature's related configuration section(s) in ApplicationHost.config. Reset to Inherited: When you select Reset to Inherited for a feature, the delegation state for that feature is returned to its default setting.

Configuring Delegation and Remote Administration

6-19

MCT USE ONLY. STUDENT USE PROHIBITED

Configuration Read/Write: When you select Configuration Read/Write for a feature, you unlock the feature's configuration section(s) in ApplicationHost.config. Configuration Read Only: When you select Configuration Read Only for a feature, you lock the feature's configuration section(s) in ApplicationHost.config. Question: What are some scenarios when Configuration Read/Write would be used instead of Read/Write?

6-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Default Feature Delegation Settings

Key Points
The default feature delegation settings were created with the best practices in mind.

Configuring Delegation and Remote Administration

6-21

MCT USE ONLY. STUDENT USE PROHIBITED

How to Configure Feature Delegation in IIS 7.0

Key Points
Configuring feature delegation in IIS 7.0 includes the following steps: 1. 2. 3. Open IIS Manager and click on the connection to the local server in the treeview on the left-hand side. Scroll down the feature list, find Feature Delegation, and double-click to open. Click on a feature to set the delegation options in the task pane on the right.

6-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Feature Delegation with Remote Management

Key Points
Feature delegation is a useful tool for allowing non-administrators to manage discrete components of a Web site. Using feature delegation and remote management together includes the following steps: 1. 2. 3. 4. 5. 6. Set the desired feature delegation settings. Specify the users that can connect to a site or application. Install the Web Management Service. Configure and Enable remote management. Start the Web Management Service. Test the configuration by connecting from a remote machine.

Configuring Delegation and Remote Administration

6-23

MCT USE ONLY. STUDENT USE PROHIBITED

Best Practices for Feature Delegation

Key Points
It is important to maintain good practices when deploying feature delegation. Best practices for feature delegation include: Back up configuration files before modifying them. Give only the needed level of access. Dont change the system account. Don't make delegation more restrictive after initial configuration.

Question: Why is delegating only the needed level of access recommended?

6-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring Delegation and Remote Administration

Exercise 1: Configuring Remote Administration


Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer. A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server. You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated.

Configuring Delegation and Remote Administration

6-25

MCT USE ONLY. STUDENT USE PROHIBITED

In this exercise you will practice configuring a Web server for remote administration. This exercises main tasks are: 1. 2. Configure NYC-WEB-B for remote administration. Test NYC-WEB-B remote administration.

Task 1: Configure NYC-WEB-B for remote administration


1. 2. 3. Add the IIS Management role service to NYC-WEB-B. Configure the IIS Management service to accept both Windows Credentials and IIS Manager Credentials. Start the IIS Management service.

Task 2: Test NYC-WEB-B remote administration


1. 2. On NYC-DC1, add the IIS Management Console. On NYC-DC1, use the IIS Management Console to connect to NYC-WEB-B. On the NYC-WEB-B Default Web Site, set index.htm at the first default document.

Results: After completing this exercise, you should have configured the IIS Management Service to accept remote connections and you should have tested a remote connection from NYC-DC1.

6-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring Delegated Administration


Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer. A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server. You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated. In this exercise you will practice delegating administration of two Web sites to the appropriate business owners. This exercises main tasks are: 1. 2. 3. 4. Configure delegated administration for the Human Resources site. Share the Woodgrove sales Web site for Betsy Stadick. Configure delegated administration for the Sales site. Test delegated administration for the Human Resources and Sales sites.

Configuring Delegation and Remote Administration

6-27

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Configure delegated administration for the Human Resources site


1. On NYC-WEB-B, share WoodgroveHRSite. 2. Location: E:\Mod06\Labfiles Site: WoodgroveHRSite Administrator: Herber Dorner Rights: Co-owner

Using IIS Manager, grant the Windows user Herber Dorner access to the HR site.

Task 2: Share the Woodgrove sales Web site for Betsy Stadick
On NYC-WEB-B, share the Woodgrove sales Web site for Betsy Stadick. Location: E:\Mod06\Labfiles Site: WoodgroveSalesSite Administrator: Betsy Stadick Rights: Co-owner

Task 3: Configure delegated administration for the Sales site


Allow configuration override for the authentication section of applicationHost.config. Use Notepad to open C:\windows\system32\intesrv\config \applicationhost.config. Remove the following text:
<anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication /> <clientCertificateMappingAuthentication /> <digestAuthentication /> <iisClientCertificateMappingAuthentication

6-28

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Insert the following text on the line before </configuration>: The text is available in the file: C:\Mod06\Labfiles\EnableAnonymousAuthentication.txt.
<location overrideMode="Allow"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication /> <clientCertificateMappingAuthentication /> <digestAuthentication /> <iisClientCertificateMappingAuthentication /> <windowsAuthentication /> </authentication> </security> </system.webServer> </location>

Save changes to the applicationHost.config file.

Task 4: Test delegated administration for the Human Resources and Sales sites
1. 2. On NYC-DC1, log in as woodgrovebank\herbert with a password of Pa$$w0rd. Use IIS Manager to connect to the HR site on NYC-WEB-B. 3. Password: Pa$$w0rd Server name: NYC-WEB-B Site name: HR User name: herbert@woodgrovebank.com Connection Name: Human Resources Site

Use IIS Manager to connect to the Sales site on NYC-WEB-B. Password: Pa$$w0rd Server name: NYC-WEB-B

Configuring Delegation and Remote Administration

6-29

MCT USE ONLY. STUDENT USE PROHIBITED

Site name: Sales User name: herbert@woodgrovebank.com

Question: Why does an error occur? Answer: This error occurs because Herbert was not granted IIS Manager permission on the Sales site. 4. 5. Log in to NYC-DC1 as woodgrovebank\betsy with a password of Pa$$w0rd. Disable Windows authentication and anonymous authentication in the Web.config file for the Sales site. Use Notepad to open \\NYC-WEB-B\WoodgroveSalesSite\Web.Config. Insert the following text on the line before </configuration>: The text is available in the file: C:\Mod06\Labfiles\DisableAuthentications.txt
<system.webServer> <security> <authentication> <windowsAuthentication enabled=false /> <anonymousAuthentication enabled="false" /> </authentication> </security> </system.webServer>

6.

Save changes to the Web.config file.

Use Internet Explorer to access http://sales.woodgrovebank.com. Question: Why does the server report a 401 error? Answer: The server reports a 401 error because both Anonymous Authentication and Windows Authentication have been disabled. The web server is unable to service a request for a web page if no means for authentication is configured.

7.

Attempt to configure \\NYC-WEB-B\WoodgroveHRSite\Web.Config.


Results: After completing this exercise, you should have successfully delegated administration for the Human Resources Web site to Herber Dorner and delegated administration for the Sales Web site to Betsy Stadick.

6-30

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring Feature Delegation


Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer. A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated. In this exercise you will practice configuring delegated administration so that all site owners can administer the error messages for their site. This exercises main tasks are: 1. 2. Configure feature delegation for the Human Resources and Sales sites. Test feature delegation for the Human Resources site.

Task 1: Configure feature delegation for the Human Resources and Sales sites
On NYC-WEB-B, use feature delegation to set Error Pages to Read/Write.

Configuring Delegation and Remote Administration

6-31

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Test feature delegation for the Human Resources site


1. 2. 3. 4. On NYC-DC1, log in as woodgrovebank\herbert with a password of Pa$$w0rd. Use IIS Manager to connect to the HR site on NYC-WEB-B with the user name herbert@woodgrovebank.com. Set a custom error page of /ErrorPages/custom404.htm for the 404 error page. Use Internet Explorer to open URL: http://hr.woodgrovebank.com/missingpage.htm
Results: After completing this exercise, you should have successfully configured the Human Resources and Sales sites so that the site owners can customize error pages for each site.

6-32

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. 2. 3. What are the steps in configuring the Web management service? What files are involved in delegated administration? What are some best practices for feature delegation?

Configuring Delegation and Remote Administration

6-33

MCT USE ONLY. STUDENT USE PROHIBITED

Common Issues related to configuring feature delegation and remote administration


Identify the causes for the following common issues related to configuring feature delegation and remote administration and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Self-signed certificates Troubleshooting tip Self-signed certificates usually produce a non-critical error because they are not issued by a certification authority that is recognized by the remote client. The remote management service uses TCP port 8172 by default. Even though HTTPS is the protocol used for remote management, any firewalls between the Web server and the remote administrator will need to permit port 8172, or the port configured in the remote management settings. Delegated administrations must be able to modify the Web.config file for their Web site or application. Configuration file settings inherit from parent to child file from machine.config down to the last Web.config file (if any) and the effective configuration is calculated for a given path. Any setting at a lower level in the hierarchy will override a parent setting defined in a file above the current level.

Firewall ports

File permissions on Web.config Configuration file conflicts

Real-world Issues and Scenarios


1. 2. A hosting provider wants to delegate site management to each customer for that customers site. A corporate Web server hosts multiple departmental sites. The server administrator wants to delegate limited access to departmental site managers. What access should be delegated? What access should not be delegated? What are the access requirements in your environment?

6-34

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Best Practices related to configuring feature delegation and remote administration


Supplement or modify the following best practices for your own work situations: Back up configuration files before modifying them. Give only the needed level of access. Dont change the system account. Don't make delegation more restrictive after initial configuration.

Using Command-line and Scripting for IIS 7.0 Administration

7-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 7
Using Command-line and Scripting for IIS 7.0 Administration
Contents:
Lesson 1: Tools for Running Administrative Tasks in IIS Lesson 2: Executing Scripts for Administrative Tasks Lesson 3: Managing IIS Tasks Lab: Using Command-line and Scripting for IIS 7.0 Administration 7-3 7-9 7-16 7-24

7-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

This module helps you to use command-line and scripting for IIS 7.0 Administration. After completing this module, you will be able to: Use PowerShell for IIS 7.0 administration. Extend PowerShell with scripts. Run a script using PowerShell. Use Microsoft.Web.Administration for IIS 7.0 administration. Perform AppCmd tasks for IIS 7.0 Use WMI objects to perform administrative tasks.

Using Command-line and Scripting for IIS 7.0 Administration

7-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1

Tools for Running Administrative Tasks in IIS

This lesson will provide some introductory information for command-line and scripting for IIS 7.0 administration. The new tools for use with IIS 7.0 will be explained and the benefits will be described.

7-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

IIS 7.0 Management

Key Points
New administration tools for IIS 7.0 include: IIS Manager Feature-focused administration tool with dialogs for common administrative tasks. PowerShell New command-line administration tool that can use the WMI provider and .NET API. AppCmd For use specifically for IIS 7.0 administration.

Question: When would you choose to use command-line tools instead of the IIS Manager?

Using Command-line and Scripting for IIS 7.0 Administration

7-5

MCT USE ONLY. STUDENT USE PROHIBITED

PowerShell Overview

Key Points
Windows PowerShell command line interface is a new tool to perform command-line administration. Object-Oriented Data Handling PowerShell, based on the .NET Framework platform, provides a powerful object-model command-line environment. Namespaces As a WMI interface provider, scripting in PowerShell can significantly shorten the amount of time required to do repetitive maintenance and management. Pipelining You can pipe the output from one command as the input into another command. Transparent access to the commands is available through the Command Prompt. Trusted Scripts As an option, all scripts may be required to be digitally signed before they are allowed to run.

7-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Benefits of Using PowerShell

Key Points
PowerShell is a command-line tool like cmd.exe, except it is more powerful. The improvements over cmd.exe make PowerShell a better choice for IIS 7.0 administration. Question: What are some advantages to using PowerShell instead of cmd.exe?

Using Command-line and Scripting for IIS 7.0 Administration

7-7

MCT USE ONLY. STUDENT USE PROHIBITED

Benefits of Using Microsoft.Web.Administration APIs

Key Points
The Microsoft.Web.Administration provides a programmatic way to access and update the Web server configuration and administration information. The Microsoft.Web.Administration.dll is an easy way for users to tweak settings on the server. The MWA API would be used when you wanted to write a program in managed code (C#, VB etc) to configure the server in a particular manner in order. This API can be used from PowerShell.

7-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Benefits of Using AppCmd.exe and Command-line Scripts

Key Points
AppCmd.exe is the single command line tool for managing IIS 7.0. It exposes all key server management functionality through a set of intuitive management objects that can be manipulated from the command line or from scripts. AppCmd enables you to easily control the server without using a graphical administration tool and to quickly automate server management tasks without writing code. Question: How does administration with AppCmd.exe differ from IIS Manager?

Using Command-line and Scripting for IIS 7.0 Administration

7-9

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2

Executing Scripts for Administrative Tasks

This lesson will explain how to use scripting for IIS 7.0 administrative tasks. Sample scripts will be examined; as well, as techniques for writing scripts.

7-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Using Scripts for Administrative Tasks

Key Points
Ways to use scripts for IIS 7.0 administration include PowerShell scripts, PowerShell Command-lets, AppCmd.exe scripts and through the use of the Microsoft.Web.Administration API. The AppCmd.exe command line is built on top of a set of top level server management objects, such as Site and Application. These objects expose methods that can be used to perform various actions on those objects, and object instances expose properties that can be inspected and manipulated.

Using Command-line and Scripting for IIS 7.0 Administration

7-11

MCT USE ONLY. STUDENT USE PROHIBITED

Using PowerShell Scripts for Administrative Tasks

Key Points
The net effect of this example script will be to copy all files listed in file AppManifest.txt, located on machine DemoServer1, to all the machines listed in file RestOfFarm.txt. The script uses the get-content cmdlet to read machine names from file RestOfFarm.txt and file names from file AppManifest.txt. The foreach loop: The outer loop iterates through each machine name stored in variable $farmList, storing each name into variable $targetMachine in turn. The inner loop is similar and stores each file into $file in turn. The join-path cmdlet is used to intelligently concatenate strings to produce complete source and destination paths. Finally the copy-item cmdlet is used to perform the copy actions, where the recurse switch will copy all sub-directories and the -force switch causes existing files to be overwritten. Notice this script has all information about source and destination locations hard-coded into the script.

7-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Question: If you are familiar with Visual Basic, how would this code translate to Visual Basic? Question: In a production environment, would you want to hard code the source and destination location into the script? If not, what would you do instead?

Using Command-line and Scripting for IIS 7.0 Administration

7-13

MCT USE ONLY. STUDENT USE PROHIBITED

Writing PowerShell Command-lets for IIS 7.0

Key Points
Windows PowerShell supports cmdlets that are derived from two different base classes: Most cmdlets are based on .NET classes that derive from the Cmdlet base class. More complex cmdlets are based on .NET classes that derive from the PSCmdlet base class.

Question: If you were writing a cmdlet that created an application pool, what would you name the cmdlet?

7-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Using AppCmd and Command-line Scripts

Key Points
Before you can serve a single request from your IIS7 server, you need to create a set of configurations that describes how the server listens for requests, and how these requests are then dispatched to your scripts or static files.

Using Command-line and Scripting for IIS 7.0 Administration

7-15

MCT USE ONLY. STUDENT USE PROHIBITED

Accessing Microsoft.Web.Administration in PowerShell

Key Points
Microsoft.Web.Administration.dll can be loaded into PowerShell and then used to view information such as Web site names.

7-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3

Managing IIS Tasks

This lesson will go into detail on using PowerShell, AppCmd, WMI and MWA to perform IIS 7.0 administrative tasks.

Using Command-line and Scripting for IIS 7.0 Administration

7-17

MCT USE ONLY. STUDENT USE PROHIBITED

How to use AppCmd: <COMMAND> Options

Key Points
In IIS 6.0 several of administrative tasks were performed using several VBS script files. This made it difficult to find out what script needed to be run. IIS 7.0 can be managed using AppCmd.exe which provides all the options you need to administer IIS 7.0. AppCmd works by executing a command on one of the supported management objects, with optional parameters used to further customize the behavior of the command:
APPCMD.EXE <COMMAND> <OBJECT> <ID> [ /parameter:value ]*

Question: Do you have any administrative tasks for IIS 6.0 in your organization that requires the use of more than one script?

7-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

How to use AppCmd: <OBJECT> Options

Key Points
An object will often support additional commands, such as START and STOP for the Site object. <OBJECT> is the one of the management objects supported by the tool.

Using Command-line and Scripting for IIS 7.0 Administration

7-19

MCT USE ONLY. STUDENT USE PROHIBITED

Using AppCmd to Manage IIS 7.0 Tasks

Key Points
AppCmd can be used for commonly performed tasks, such as creating backups, viewing a Web site's configuration, or starting Web sites.
APPCMD.EXE <COMMAND> <OBJECT> <ID> [ /parameter:value ]*

Question: Can describe a situation where AppCmd would be useful in your organization?

7-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Automating Tasks using Scripts

Key Points
You can use PowerShell scripts to automate tasks. These tasks can be set to start with any number of triggered events such as a disk failure or a scheduled time.

Using Command-line and Scripting for IIS 7.0 Administration

7-21

MCT USE ONLY. STUDENT USE PROHIBITED

PowerShell Command-lets for IIS 7.0

Key Points
Built-in PowerShell cmdlets provide easy access to commonly performed tasks.

7-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Using PowerShell to Manage IIS 7.0 Tasks

Key Points
PowerShell can extract detailed information from the server. You can format your output to meet your needs. Piping with PowerShell cmdlets allows you to input the result of one cmdlet into another.

Question: What is the advantage of piping commands with PowerShell?

Using Command-line and Scripting for IIS 7.0 Administration

7-23

MCT USE ONLY. STUDENT USE PROHIBITED

Using WMI Provider to Manage IIS 7.0 Tasks

Key Points
WMI scripting lets you manage worker processes and application domains (AppDomains) in IIS 7.0.

7-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Using Command-line and Scripting for IIS 7.0 Administration

Exercise 1: Manage IIS Web Sites with PowerShell


Scenario
The development team requires additional tools to manage their Web sites. First you need to make sure that PowerShell will correctly manage the servers services and make sure it can successfully stop and start the Web service. In this exercise, you will learn how to use PowerShell to manage IIS 7.0. The main tasks for this exercise are as follows: 1. 2. 3. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Use PowerShell to identify all services. Use PowerShell to identify running services that start with a "w".

Using Command-line and Scripting for IIS 7.0 Administration

7-25

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6.

Stop the w3svc service using PowerShell. Start the w3svc service using PowerShell. List the Powershell.exe process using the get-wmiobject cmdlet.

Task 1: Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator Task 2: Use PowerShell to identify all services
Use the get-service cmdlet.

Task 3: Use PowerShell to identify running services that start with a w


Use the get-service -include w* | sort-object -property status cmdlet.

Task 4: Stop the w3svc service using PowerShell


Use the stop-service cmdlet. Use the get-service cmdlet to confirm.

Task 5: Start the w3svc service using PowerShell


Use the start-service cmdlet. Use the get-service cmdlet to confirm.

Task 6: List the Powershell.exe process using the get-wmiobject cmdlet


Use the Get-WmiObject -query "Select * From Win32_Process Where Name = 'powershell.exe'" cmdlet. Results: After this exercise, you should have successfully identified, stopped and started services using PowerShell.

7-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Use Microsoft.Web.Administration


Scenario
You need to verify that a script will effectively stop and start using MWA. Run the script and then check to make sure that the service is stopped. Then restart the service using the script and verify that it is started. In this exercise, you will learn how to use MWA to execute a script. The main tasks for this exercise are as follows: 1. 2. 3. 4. Load Microsoft.Web.Administration.dll. Get Web site information with MWA. Create a function using MWA to find Web sites. Use the findsite function to list the default Web site, the default Web site ID, and then stop and start the default Web site.

Task 1: Load Microsoft.Web.Administration.dll


Open PowerShell. Use this command: [System.Reflection.Assembly]::LoadFrom(C:\windows\system32\inetsrv\ Microsoft.Web.Administration.dll")

Task 2: Get Web site information with MWA


(New-Object Microsoft.Web.Administration.ServerManager).Sites (New-Object Microsoft.Web.Administration.ServerManager).Sites | ForEach-Object {$_.Name}

Using Command-line and Scripting for IIS 7.0 Administration

7-27

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Create a function using MWA to find Web sites


function findsite {$name=$args[0]; ((New-Object Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name match $name}); }

Task 4: Use the findsite function to list the default Web site, the default Web site ID, and then stop and start the default Web site
Results: After this exercise, you should have successfully used Microsoft.Web.Administration to gather Web site information and created a function to start and stop the default Web site.

7-28

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Automate IIS Administration using Scripts


Scenario
The development team provided you with a script that lists Web sites on the server. You need to test and run the script using PowerShell. You also need to deploy several identical Web sites using the same default content located on a share. A PowerShell script will be used to automate this task. In this exercise, you will learn how to use a PowerShell scripts. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Create Microsoft.PowerShell profile script to automatically load assemblies. Set execution policy to unrestricted. Add a global variable to profile script. List sites using global variable. Use PowerShell script to find sites. Review and run a script to create a Web site. Use PowerShell script to verify site was created.

Task 1: Create Microsoft.PowerShell profile script to automatically load assemblies


To open profile script: if (test-path $profile) {echo Path exists.} else {newitem path $profile itemtype file force}; notepad $profile Profile script:

echo Microsoft IIS 7.0 Environment Loader echo Copyright 2006 Microsoft Corporation. All rights reserved. echo Loading IIS 7.0 Managed Assemblies $inetsrvDir = (join-path path $env:windir childPath \system32\inetsrv\) Get-ChildItem Path (join-path path $inetsrvDir childPath Microsoft*.dll) | ForEach-Object {[System.Reflection.Assembly]::LoadFrom( (join-path path $inetsrvDir childPath $_.Name)) } echo Assemblies loaded.

Using Command-line and Scripting for IIS 7.0 Administration

7-29

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Set execution policy to unrestricted


View execution policy with get-executionpolicy cmdlet. Set execution policy with set-executionpolicy cmdlet.

Task 3: Add a global variable to profile script


Add this line to the profile script:
new-variable iismgr value (New-Object Microsoft.Web.Administration.ServerManager) scope global

Task 4: List sites using global variable Task 5: Use PowerShell script to find sites
1. 2. Save the script located in E:\Mod07\Labfiles\scripts\iis.type.ps1.xml to c:\windows\System32\WindowsPowerShell\v1.0. Type the following at the end of the profile script:
new-variable iissites value (New-Object Microsoft.Web.Administration.ServerManager).Sites scope global new-variable iisapppools value (New-Object Microsoft.Web.Administration.ServerManager).ApplicationPools scope global update-typedata append (join-path path $PSHome childPath iis.types.ps1xml)

3.

At the PowerShell Command Prompt run $iissites.Find(^Default*).

7-30

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 6: Review and run a script to create a Web site


1. 2. The script is located in E:\Mod07\Labfiles\scripts\CreateWebsite \CreateWebsite\CreateWebsite\Bin\Debug\CreateWebsite.exe. Copy the script to the C:\drive and run it from PowerShell.

Task 7: Use PowerShell script to verify site was created


Use $iissites.Find to locate NewSite.
Results: After this exercise, you should have successfully created a Microsoft.PowerShell profile script. You should have also used a saved script to list Web site. Finally, you should have successfully created a site named NewSite.

Using Command-line and Scripting for IIS 7.0 Administration

7-31

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Navigating IIS tasks using WMI and AppCmd


Scenario
You need to verify which tasks are running on the server. Use WMI and AppCmd to display the list of running tasks. In this exercise, students will use WMI and AppCmd for IIS administration. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Use AppCmd to identify tasks running on the Web server. Use AppCmd to identify all running application pools. Use AppCmd to recycle all running application pools. Move all applications in a site to NewAppPool apppool. Store configuration information to file, and then restore the configuration information. Use WMI to list the default Web site on the Web server.

Task 1: Use AppCmd to identify tasks running on the Web server


1. 2. Open a Command Prompt. Navigate to c:\windows\system32\inetsrv to run AppCmd.

Task 2: Use AppCmd to identify all running application pools Task 3: Use AppCmd to recycle all running application pools
Use this command: appcmd list apppool /xml | appcmd recyle apppool /in

Task 4: Move all applications in a site to NewAppPool apppool


Use this command: appcmd list app /site.name:"NewSite" /xml | appcmd set app /in /applicationPool:NewAppPool

7-32

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Store configuration information to file, and then restore the configuration information
To store configuration information: appcmd list config Default Web Site/ /section:caching /xml /config > config.xml To restore configuration information: appcmd set config Default Web site/ /in < config.xml

Task 6: Use WMI to list the default Web site on the Web server
1. Using Notepad create a file named GetSite.vbs with the following code:
Set oIIS = GetObject("winmgmts:root\WebAdministration") Set oSite = oIIS.Get("Site.Name='Default Web Site'") WScript.Echo "Retrieved an instance of Site " WScript.Echo " Name: " & oSite.Name WScript.Echo " ID: " & oSite.ID

2. 3. 4.

Open a Command Prompt and navigate to folder where GetSite.vbs is located Type cscript //h:cscript. Run GetSite.vbs script.
Results: After this exercise, you should have successfully used AppCmd to recycle application pools, move application and store configuration information to a file. You should have also successfully identified the default Web site using WMI.

Using Command-line and Scripting for IIS 7.0 Administration

7-33

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. 2. 3. 4. 5. 6. What are the different tools available for IIS 7.0 administration? How can you use scripts to simplify IIS 7.0 administration? What are the benefits of PowerShell? What things can you do with AppCmd.exe? What is Microsoft.Web.Administration and how can it be used? What are some examples of tasks you can perform using WMI?

MCT USE ONLY. STUDENT USE PROHIBITED

Tuning IIS 7.0 for Improved Performance

8-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 8
Tuning IIS 7.0 for Improved Performance
Contents:
Lesson 1: Implementing Best Practices for Improving IIS Performance Lesson 2: Configuring Options to Improve IIS Performance Lesson 3: Managing Application Pools to Improve IIS Performance Lab: Tuning IIS 7.0 for Improved Performance 8-3 8-7 8-14 8-19

8-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

An important aspect of managing a Web server is implementing best practices that ensure the best possible performance. This module briefly introduces some best practices for improving performance in IIS 7.0. In this module, you will learn the how to configure IIS to provide the best performance. You will also learn how to manage applications pools to achieve performance goals.

Tuning IIS 7.0 for Improved Performance

8-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:

Implementing Best Practices for Improving IIS Performance

Before configuring performance options, it is important to understand how global chances and local changes impact running servers, and how server consolidation and limiting server access play an important role in maximizing resources. In this module, you will learn about the best practices for implementing changes, consolidating servers, and configuring limits on Web site access.

8-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

How Do Global Changes Impact Running Worker Processes?

Key Points
When a change is made at the site or application level, the changes are picked up immediately by the Web server. Only the global changes that affect multiple sites and applications will cause the running processes to recycle. If changes are made in a localized scope, then the rest of the sites and applications will not be restarted. Because of this, you should schedule global changes for off-peak times to avoid service interruption. Question: What are some examples of local and global changes?

Tuning IIS 7.0 for Improved Performance

8-5

MCT USE ONLY. STUDENT USE PROHIBITED

Why Consolidate Server Roles?

Key Points
When you standardize on fewer physical servers, the number of machines and complex configurations you need to manage decreases. This has two key benefits: Increased reliability and availability: Standardize high availability configurations and make fewer changes. Improved Security: Standardizing configuration and secure management practices improve security.

Question: How might your organization benefit by retiring or reusing older hardware and consolidating sites?

8-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

When to Configure Web Site Limitations

Key Points
Use Web Site Limits configure performance settings for your Web site based on bandwidth usage and connection limits. For example, by restricting either bandwidth or the number of connections, or both, on a low-priority Web site, you enable other, higher-priority sites to handle larger traffic loads. You can adjust these settings as network traffic and usage changes. Question: Why are Web site limits important when consolidating servers?

Tuning IIS 7.0 for Improved Performance

8-7

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:

Configuring Options to Improve IIS Performance

In this lesson, you will learn how to configure output caching and compression. You will also learn how to install and configure Windows Server Resource Manager, and some scenarios and best practices for configuring logging for best performance.

8-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Cache Settings

Key Points
In IIS 7.0, you can configure output caching to improve performance on your Web server, site, or application. When a user requests a Web page, IIS processes the request and returns a page to the client browser. If you enable output caching, a copy of that processed Web page is stored in memory on the Web server and returned to client browsers in subsequent requests for that same resource. This eliminates the requirement to reprocess the page every time that it is requested. This is helpful when your content relies on an external program for processing, such as with a Common Gateway Interface (CGI) program, or includes data from an external source, such as from a remote share or a database. Question: What applications in your current environment could benefit from dynamic output caching?

Tuning IIS 7.0 for Improved Performance

8-9

MCT USE ONLY. STUDENT USE PROHIBITED

Guidelines for Configuring Compression

Key Points
HTTP compression lets you make more efficient use of bandwidth and enhances the performance of sites and applications. You can configure HTTP compression for both static and dynamic sites. IIS provides the following compression options: Static files only Dynamic application responses only Both static files and dynamic application responses

Question: When would enabling dynamic compression improve the page load time for the client?

8-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

How to Install and Configure WSRM

Key Points
Microsoft Windows System Resource Manager (WSRM) on Microsoft Windows Server 2008 allows you to control how CPU and memory resources are allocated to applications, services, and processes on the computer. Question: How are you currently using WSRM for Microsoft Windows Server 2003 in your organization?

Tuning IIS 7.0 for Improved Performance

8-11

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Logging Frequency

Key Points
Logging a lot of information about the Web server can consume resources and disk i/o. To minimize the impact to performance: Log only minimal information for routine statistics Consider saving log files to a separate disk Recycle logs

8-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configure Failed Request Event Tracing for exceptions Use FREB to capture detailed information only in exceptional situations Critical errors Unresponsive states

Question: How might the configuration of logging change over an application's lifecycle?

Tuning IIS 7.0 for Improved Performance

8-13

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Configuring Dynamic Output Cache to Improve Performance

Question: What are some scenarios in which you might use dynamic output caching?

8-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3:

Managing Application Pools to Improve IIS Performance

Application pools allow you to apply configuration settings to groups of applications and the worker processes that service those applications. Any Web site, Web directory, or virtual directory can be assigned to an application pool. In this lesson, you will learn how to manage application pools to get the best performance from your Web server. You will also learn how to an application with Xcopy.

Tuning IIS 7.0 for Improved Performance

8-15

MCT USE ONLY. STUDENT USE PROHIBITED

Managing Application Pools

Key Points
You can configure IIS to isolate applications to separate application pools, or consolidate them. With WSRM you can distribute the processing load. Additionally, you can configure IIS to automatically recycle worker processes at specified intervals or when specific resource usage thresholds are met. Question: Why would you recycle an application pool on a specific time interval?

8-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

When to Configure Applications to Use the Same Application Pool

Key Points
Consolidating multiple applications can significantly save resources on the server. You might consider assigning multiple applications to an application pool when: The applications are known to be stable All use same .NET version The scenario does not require highest level of security There are tight resource constraints on the server

Tuning IIS 7.0 for Improved Performance

8-17

MCT USE ONLY. STUDENT USE PROHIBITED

Isolating applications to separate application pools is best when: The applications are new (unproven) There are known problem applications You must have sandboxed applications The applications use different .NET versions or are legacy apps There are security concerns between applications

Question: What is the default behavior for application pools when you create a new application?

8-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Deploying Applications and Updates with Xcopy

Key Points
Xcopy deployment describes deployment where you use the drag-and-drop feature in Microsoft Windows Explorer, File Transfer Protocol (FTP), or the command line Xcopy command to copy files from one location to another. The application requires no modifications to the registry and has no special installation requirements for the host company on hosted sites. Question: How would you leverage scripting in deploying applications via Xcopy?

Tuning IIS 7.0 for Improved Performance

8-19

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Tuning IIS 7.0 for Improved Performance

Exercise 1: Deploying Applications


Scenario
You receive a request to deploy a second copy of an installed application, and then deploy updates to the new installation so that the Enterprise Design QA team can test the proposed updates.

Exercise Overview
In this exercise, students will learn how to deploy an application, as well as application updates, with Xcopy. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add ASP.NET and Dynamic Content Compression features to the IIS Role.

8-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7.

Create the SalesSupport application and copy the ASP.NET application files. Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy. Deploy the application updates to SalesSupport2 using Xcopy. Create and assign an application pool for SalesSupport2 and test functionality.

Task 1: Start the 6427A-DC1 virtual machine


Start 6427A-NYC-DC1.

Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator


Start 6427A-NYC-WEB-A, and log on as LocalAdmin with the password of Pa$$w0rd.

Task 3: Add ASP.NET and Dynamic Content Compression features to the IIS Role
On NYC-WEB-A, use Server Manager to add the ASP.NET and Dynamic Content Compression role services.

Task 4: Create the SalesSupport application and copy the ASP.NET application files
1. 2. On NYC-WEB-A, use IIS Manager to add the SalesSupport application with a physical path of c:\inetpub\wwwroot\SalesSupport. Copy the application files from E:\Mod08\Labfiles\SalesSupport to c:\inetpub\wwwroot\SalesSupport.

Tuning IIS 7.0 for Improved Performance

8-21

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy
1. 2. 3. At the command prompt, change directories to c:\inetpub\wwwroot. Create a new directory named SalesSupport2. Use the xcopy command to copy all of the files and the directory structure from SalesSupport to SalesSupport2.

Task 6: Deploy the application updates to SalesSupport2 using Xcopy


1. 2. At the command prompt, use Xcopy to copy the updated files from E:\mod08\labfiles\salessupport2 to c:\inetpub\wwwroot\salessupport2. In IIS Manager, add the application SalesSupport2 with the physical path c:\inetpub\wwwroot\salesupport2.

Task 7: Create and assign an application pool for SalesSupport2 and test functionality
1. 2. In IIS Manager, add an application pool named SalesSupport2 and assign it to the SalesSupport2 application. In Internet Explorer, browse to http://localhost/salesupport, and then browse to http://localhost/salessupport2 and compare results.
Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, deployed that SalesSupport2 application, and verified functionality.

8-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring IIS Performance Options


Scenario
Next you will configure performance options for the SalesSupport application. First, you will use Performance Monitor to look at the current machine performance. Then you will configure and test output caching, compression, and throttling.

Exercise Overview
In this exercise, students will learn how to configure IIS Performance Options. This exercises main tasks are: 1. 2. 3. 4. Use Performance Monitor to measure performance. Configure Output Caching. Configure Compression. Configure connection limit throttling.

Task 1: Use Performance Monitor to measure performance


1. 2. 3. 4. 5. On NYC-WEB-A, open Performance Monitor. Remove all counters, and then add the Web Service counters Bytes Sent/sec for all instances. With Performance Monitor running, in Internet Explorer, browse to http://localhost/salessupport/test.aspx. After the page loads, click refresh several times rapidly. Notice that the time is dynamically updated with each refresh. Close Internet Explorer. Examine the throughput in Performance Monitor.

Tuning IIS 7.0 for Improved Performance

8-23

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Configure Output Caching


1. In IIS Manager, add a cache rule to the SalesSupport application for the extension .aspx. 2. Select Kernel-mode caching. Click At time intervals, and then delete the existing text and type 00:00:10.

In Internet Explorer, browse to http://localhost/salessupport/test.aspx and click refresh several times rapidly for at least 30 seconds. Notice how often the time is updated. Browse to http://localhost/salessupport2/test.aspx, and then click refresh several times rapidly. Notice that the time updates with each refresh. In Reliability and Performance Monitor, compare the graphs for the two pages. You may need to zoom in to see the difference.

3. 4.

Task 3: Configure Compression


1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Explorer, browse to http://localhost. Click refresh several times rapidly. In Reliability and Performance Monitor examine the throughput. In IIS Manager, enable static content compression for the default web site. In Internet Explorer, browse to http://localhost and click refresh several times rapidly. In Reliability and Performance Monitor examine the throughput. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and click refresh several times rapidly. In Reliability and Performance Monitor examine the throughput. In IIS Manager, enable dynamic content compression. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and click refresh several times rapidly.

10. In Reliability and Performance Monitor examine the throughput and compare results.

8-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Configure connection limit throttling


1. Open Internet Explorer and browse to http://localhost. Open two more tabs and browse to http://localhost so that you have three tabs open to http://localhost. Right-click a tab and choose Refresh All. Notice that all of the tabs refresh successfully. Close Internet Explorer. In IIS Manager, set a Web Site Limit for the default web site so that the number of connections is limited to 1. In Internet Explorer, open three tabs to http://localhost. Right-click a tab and choose Refresh All. Notice that one of the tabs now reports an error. Close Internet Explorer before continuing.
Results: After this exercise, you should have configured performance options and verified functionality.

2. 3. 4.

Tuning IIS 7.0 for Improved Performance

8-25

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Managing Application Pools to Improve Performance


Scenario
You will now modify the application pools to improve resource usage.

Exercise Overview
In this exercise, students will learn how to manage application pools to improve performance. This exercises main tasks are: 1. 2. 3. Use Reliability and Performance Monitor to measure resource usage. Recycle an application pool. Assign SalesSupport and SalesSupport2 to the same application pool.

Task 1: Use Reliability and Performance Monitor to measure resource usage


1. On NYC-WEB-A, open Internet Explorer and browse to http://localhost/salessupport. Open a second tab, and browse to http://localhost/salessupport2. Open Reliability and Performance Monitor. Examine the memory usage of w3wp.exe and the number of instances.

2.

Task 2: Recycle an application pool


1. 2. 3. In IIS Manager, recycle the SalesSupport2 application pool. In Reliability and Performance Monitor, examine the memory and number of instances of w3wp.exe and compare results. Close Internet Explorer before continuing.

8-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Assign SalesSupport and SalesSupport2 to the same application pool


1. 2. 3. In IIS Manager, modify the SalesSupport2 application to use the default application pool, and then remove the SalesSupport2 application pool. Open Internet Explorer and browse to http://localhost/salessupport. Open a second tab and browse to http://localhost/salessupport2. In Reliability and Performance Monitor, examine the memory and number of instances of w3wp.exe.
Results: After this exercise, you should have recycled and consolidated application pools, and verified resource usage with Reliability and Performance Monitor.

Tuning IIS 7.0 for Improved Performance

8-27

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. 2. 3. What is the difference between compression and caching and how do they interact? What impact do the various performance settings have on CPU usage, memory usage, disk i/o, and network bandwidth? What options do you have for ensuring that an application does not monopolize resources?

MCT USE ONLY. STUDENT USE PROHIBITED

Ensuring Web Site Availability with Web Farms

9-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 9
Ensuring Web Site Availability with Web Farms
Contents:
Lesson 1: Backing Up and Restoring Web Sites Lesson 2: Introducing Shared Configurations Lesson 3: Working with Shared Configurations Lesson 4: Configuring Network Load Balancing for IIS Lab: Ensuring Web Site Availability with Web Farms 9-3 9-8 9-16 9-24 9-31

9-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

Server farms provide an effective way of ensuring continual, reliable operation of Web sites and large Web server infrastructures. Windows Server 2008 and IIS 7.0 provide many features for creating reliable Web server farms and managing Web sites across a dispersed server deployment. One of the main new features for managing IIS 7.0 server farms is shared configurations, which allow for IIS 7.0 configurations to be centrally deployed and managed.

Ensuring Web Site Availability with Web Farms

9-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1

Backing Up and Restoring Web Sites

The backup and restore process is a critical process for maintaining a reliable IT infrastructure. This lesson provides an overview of the backup and restore process and details specific considerations for Windows Server 2008 II 7.0 systems.

9-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Understanding IIS 7.0 Web Site Backup

Key Points
IIS 7.0 uses config files within the Web sites to manage Web site configurations and settings. The critical files for Web site backups include all the applications, data files, and XML config files that reside in the Web site folders.

Question: How might you adjust your web server backup procedures for IIS 7.0?

Ensuring Web Site Availability with Web Farms

9-5

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Backup for a Web Site and Web Server

Key Points
Windows Server 2008 IIS 7.0 provides an easy method to relocate Web server files onto UNC shares. However, even with the critical Web site files located in a secure storage device, it is still necessary to perform regular backups of Web servers because critical configuration and log files are stored on the IIS 7.0 server. Question: Web server log files can grow to be very large. What techniques can you use to manage the backup process for Web server log files?

9-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Performing Web Site Restore

Key Points
A Web server can be easily rebuilt by reinstalling the system and restoring the Web site application, data, and XML config files. Alternately, if the all the Web site data resides locally on the Web server, a complete restore will be able to return the server to previous functionality.

Ensuring Web Site Availability with Web Farms

9-7

MCT USE ONLY. STUDENT USE PROHIBITED

Performing Web Server Backup Validation

Key Points
It is critical to insure that Web server backups are complete and accurate and meet the necessary long term data storage requirements. It is important to integrate a server backup validation strategy into your backup plan. There are many techniques that may be performed to test and ensure that the backups have been completed successfully.

Question: What strategies have you used in the past to insure the validity of system backups?

9-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2

Introducing Shared Configurations

Shared configurations provide an effective way of managing multiple IIS 7.0 Web servers, to maintain consistent configurations across the server farm. This lesson provides an introduction to shared configurations, describing the use and benefits.

Ensuring Web Site Availability with Web Farms

9-9

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Centralized Shared Configurations

Key Points
Centralized shared configurations helps supports homogeneous Web farms where machines share the same configuration across a server group. After exporting the configuration from the main server, additional servers in the Web server farm can be set to use the configuration set on the central file server. By having the servers all using the same files on the same share, IIS 7.0 eliminates the need for replication or synchronization.

9-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Advantages of IIS on DFS-enabled Share

Key Points
Using IIS 7.0 on DFS provides a number of advantages, including easier management and high availability. DFS allows you to use centralized network resources in a unified namespace, so that it appears to users that files reside in one place on the network.

Question: What Web sites do you think employ technologies like DFS? What kinds of advantages do these technologies offer?

Ensuring Web Site Availability with Web Farms

9-11

MCT USE ONLY. STUDENT USE PROHIBITED

Pros and Cons of Offline Configuration Files vs. DFS

Key Points
The offline configuration files feature, or client side caching, enables files stored on a network share to be accessed even when the network share is unavailable. The IIS 7.0 shared configuration system is designed so that the Web site and server's configurations will remain cached in the Web server, keeping the Web sites functioning until the problem with the configuration file server is resolved. Shared offline configuration files offer some benefits over using a complex DF infrastructure. Shared offline configuration files provide a faster solution that is quicker and easier to set up. While more complex and difficult to deploy, DFS offers many advantages.

9-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing an IIS Web Site on a DFS-enabled Share

Key Points
DFS can be used to make files that are distributed across multiple servers. DFS also allows the network resources to be centralized in a single unified namespace. When you use DFS as the filing system for IIS, you can use relative links in your Web site. These links can point to any network resource even if the resource does not reside on that same physical server.

Ensuring Web Site Availability with Web Farms

9-13

MCT USE ONLY. STUDENT USE PROHIBITED

Deploying Configuration Files on DFS-enabled Share

Key Points
Use the DFS Administrator tool to build a single hierarchical view of multiple file servers and file server shares that are physically distributed across a network. Then build a logical DFS folder of the main Web site. First, make sure the File Server Role Services for Distributed File System has been installed. Start the Distributed File System admin tool. Create a New DFS Root. Select the name of the domain where you want to create the DFS root. Type the path and the name of the root for the Web site.

9-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing the Benefits of Using Shared Configurations

Key Points
Using IIS 7.0 shared configurations offers many advantages for Web site and server management. Manage Portability: Using shared configurations makes it very easy to relocate a Web site. Deploy Replication: Configuration can be pushed out onto multiple servers, with the same settings, sites, and application pools, to work across large Web farms.

Ensuring Web Site Availability with Web Farms

9-15

MCT USE ONLY. STUDENT USE PROHIBITED

Maintain Synchronization: With shared configuration, all the servers will be updated simultaneously. Re-deploy Staged Deployments and Rollback: It is easy to create versions of configuration and test changes on identically configured servers.

Question: Which benefit(s) of shared configuration do you think might be most useful to you and/or your organization?

9-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3

Working with Shared Configurations

It is very easy to configure and deploy shared configurations with IIS 7.0. You can use the IIS Manager or the command line to enable shared configurations. This lesson describes the steps to enable shared configurations. It also offers various tips, tricks, and best practices for using shared configurations.

Ensuring Web Site Availability with Web Farms

9-17

MCT USE ONLY. STUDENT USE PROHIBITED

Enabling Shared Configuration with the IIS Manager

Key Points
Before you can enable shared configurations, make sure you have your UNC share configured and enabled. Shared configurations in IIS 7.0 is very robust and supports a very large number of servers.

9-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Enabling Shared Configuration from the Command Line

Key Points
The command line, along with the AppCmd, can be used to manage and deploy shared configurations.

Ensuring Web Site Availability with Web Farms

9-19

MCT USE ONLY. STUDENT USE PROHIBITED

Exporting and Enabling 2-Node Shared Configuration

Key Points
The site owner is able to deploy their IIS configuration, their ASP.NET configuration and code, and their content, straight to the server.

9-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing the Impact If Shared Configuration is Offline

Key Points
An important consideration is what would happen if the server hosting the config becomes available, while the Web server remains available. The IIS 7.0 shared configuration system is designed so that the Web site and server's configurations will remain cached in the Web server, keeping the Web sites functioning until the problem with the configuration file server is resolved.

Ensuring Web Site Availability with Web Farms

9-21

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing IIS Shared Configurations Best Practices

Key Points
It is important to research and maintain best practices if you are deploying shared configurations. Best practices are always being updated and refined, so it important to keep up with the latest recommendations. A key point in maintaining a healthy shared configuration infrastructure is to make sure all servers in the server farm have identical configurations and the same components. Using an unattended config file to install a farm of Web servers will help insure identical configurations are in place.

9-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing IIS Shared Configurations Tips and Tricks

Key Points
If you want to use Xcopy to deploy your server configuration instead of using the IIS Manager, its important to note a few things. The machine keys are used to encrypt properties like passwords for application pool identities or anonymous users. If you installed any custom modules or certificates, they should exist on all the machines before your share configuration.

You need to install any components on all servers in the farm before sharing their configs. If you install a filter or an IIS component, such as Basic authentication, you must remove the server from shared configuration and install it locally. Then ensure it exists on all machines before restoring sharing configurations.

Ensuring Web Site Availability with Web Farms

9-23

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Web Farm Session State Requirements

Key Points
Session states lets you associate a server-side string or object dictionary with a particular HTTP client session. The session data is stored on the server side in one of the supported session state stores. Using session state in an ASP.NET application can add noticeable overhead to the application performance. By taking advantage of optimizations using best practices, the impact of session state management may be reduced. Not all pages will need access to session state.

9-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 4

Configuring Network Load Balancing for IIS

Network load balancing is an excellent way of configuring large server farms to provide a high-availability solution for mission-critical Web sites. In this lesson we will review how network load balancing works, how to configure network load balancing, and then review the best practices.

Ensuring Web Site Availability with Web Farms

9-25

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Network Load Balancing

Key Points
Network Load Balancing is a system where multiple servers share a single IP address and where clients access services through the shared IP address. Load balancing can be hardware- or software-based. Windows Server 2008 includes software-based load balancing. If you use hardware-based load balancing, you must consider the scalability and fault tolerance of the Network Load Balancing hardware.

Question: Does your organization currently use network load balancing? How would you deploy NLB for IIS 7.0?

9-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Network Load Balancing in IIS 7.0

Key Points
NLB can be used to easy server maintenance You can patch and reboot a server that's in an NLB cluster without making the cluster content unavailable to clients. Network Load Balancing can be used in different areas of a Web enterprise, including, setting up a high-availability firewall cluster, a large farm of Web servers, and a robust array of data storage servers. Network Load is particularly useful for ensuring that Web pages from a server running IIS 7.0 are highly available and can be scaled out by adding additional servers as the load increases. The ease with which Network Load Balancing allows you to replace a malfunctioning server or add a new server to provide scalability.

Ensuring Web Site Availability with Web Farms

9-27

MCT USE ONLY. STUDENT USE PROHIBITED

Question: Deploying Network Load Balancing in the different areas of a Web enterprise provide different types of benefits. Describe the different types of benefits offered by deploying firewall, Web server, and data store clusters.

9-28

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring NLB Using Shared Configurations

Key Points
IIS 7.0 Shared Configurations allows for easier deployment and management of Network Load Balanced server farms.

Ensuring Web Site Availability with Web Farms

9-29

MCT USE ONLY. STUDENT USE PROHIBITED

Verifying Network Load Balancing Functionality

Key Points
It is important to test and continuously monitor Network Load Balancing functionality. There are many tools available to help automate the task of monitoring your servers and clusters.

9-30

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing NLB IIS Server Farms Best Practices

Key Points
There are many sources for recommendations for the best ways to configure and manage Network Load Balancing systems. A few are mentioned here, but it is important to perform thorough research before deploying this type of complex system.

Ensuring Web Site Availability with Web Farms

9-31

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Ensuring Web Site Availability with Web Farms

Exercise 1: Backing Up an IIS Web Site


Scenario
The Enterprise Design Team has asked you to explore options for increasing Web site availability. Before you begin, you will back up an existing site and verify that it can be restored properly. The main tasks for this exercise are as follows: 1. 2. 3. 4. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator. Backup the Web site, Web application, and config files to the E: drive.

9-32

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Start the 6427A-NYC-DC1 virtual machine Task 2: Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator
Log on to NYC-WEB-D. User: Woodgrovebank\Administrator Password: Pa$$w0rd

Task 3: Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator


Log on to NYC-WEB2. User: Woodgrovebank\Administrator Password: Pa$$w0rd

Task 4: Backup the Web site, Web application, and config files to the E: drive
1. Create a new folder: 2. E:\Web Site Backup

Copy the files: Source: C:\inetpub\wwwroot Destination: \\NYC-WEB-D\E\Web Site Backup

Results: After this exercise, you should have successfully backed up a Web site. Provide the results of the exercise so students will know when and if they have completed the lab exercise successfully.

Ensuring Web Site Availability with Web Farms

9-33

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Restoring an IIS Web Site


Scenario
The Enterprise Design Team has asked you to verify that the backups can be restored properly. Do this by restoring the Web files to a second server and confirm that the second server functions properly. The main task for this exercise is: 1. Restore the Web site, Web application, and config files from the shared drive.

Task 1: Restore the Web site, Web application, and config files from the shared drive
1. 2. Open the default Web site in Internet Explorer on NYC-WEB2. Copy the files: 3. Source: \\NYC-WEB-D\E\Web Site Backup Destination C:\inetpub\wwwroot

Refresh the default Web site in Internet Explorer on NYC-WEB2.


Results: After this exercise, you should have successfully restored a Web site to a second server. Provide the results of the exercise so students will know when and if they have completed the lab exercise successfully.

9-34

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Enabling Shared Configurations


Scenario
The next step is for increasing Web site availability. Now that you have two identically configured Web servers, implement shared configurations for them. The main tasks for this exercise are as follows: 1. 2. 3. Export and Enable Shared Configuration. Add the second Web server to use the Shared Configuration. Test the Shared Configuration.

Task 1: Export and Enable Shared Configuration


1. Export configuration using IIS Manager. 2. 3. Server: NYC-WEB-D Physical Path: \\NYC-WEB-D\E Encryption keys password: Pa$$w0rd

Using IIS Manager, enable shared configuration. Physical Path: \\NYC-WEB-D\E User name: Woodgrovebank\Administrator Password: Pa$$w0rd Encryption key password: Pa$$w0rd

Using IIS Manager, start Management Service.

Ensuring Web Site Availability with Web Farms

9-35

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Add the second Web server to use the Shared Configuration.
1. Using IIS Manager, enable shared configuration. 2. Server: NYC-WEB2 Physical Path: \\NYC-WEB-D\E User name: Woodgrovebank\Administrator Password: Pa$$w0rd Encryption key password: Pa$$w0rd

Using IIS Manager, start Management Service.

Task 3: Test the Shared Configuration.


1. Using IIS Manager, add the default document for NYC-WEB-D. 2. Server: NYC-WEB-D Name: test.html

Using IIS Manager, check the default document for NYC-WEB2.


Results: After this exercise, you should have successfully configured a two-server network with an underlying foundation of shared configurations.

9-36

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Configuring Network Load Balancing


Scenario
With the two Web servers set up with Shared Configurations, configure Network Load Balancing to increase Web site availability. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a new Network Load Balancing cluster. Add the second host to the Network Load Balancing cluster. Add the second server to the Network Load Balancing cluster. Verify Network Load Balancing using NLB commands.

Task 1: Create a new Network Load Balancing cluster


Using Network Load Balancing Manager, add a new cluster. Server: NYC-WEB-D Host: NYC-WEB-D Interface IP address: 10.10.0.21 Cluster IP Addresses, IPv4 address: 10.10.0.27 Cluster IP Addresses, Subnet mask: 255.255.0.0 Full Internet name: cluster.woodgrovebank.com

Task 2: Add the second host to the Network Load Balancing cluster
Using Network Load Balancing Manager, add the second host to the cluster. Host: NYC-WEB2 Local Area Connection interface IP address: 10.10.0.26 Priority (unique host identifier): 2

Ensuring Web Site Availability with Web Farms

9-37

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Add the second server to the Network Load Balancing cluster
Using Network Load Balancing Manager, add the second server to the cluster. Server: NYC-WEB2

Task 4: Verify Network Load Balancing using NLB commands


1. Using the Command Prompt, verify Network Load Balancing. 2. 2. Server: NYC-WEB2 Command: NLB query 10.10.0.27

Using the Command Prompt, verify Network Load Balancing. Server: NYC-WEB-D Command: NLB query 10.10.0.27

Using the Command Prompt, verify Network Load Balancing. Server: NYC-WEB-D Command: NLB display

Results: After this exercise, you should have successfully restored a Web site to a second server. Provide the results of the exercise so students will know when and if they have completed the lab exercise successfully.

9-38

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. Explain some of the actions that may be taken to validate that a Web server backup was completed successfully. Answer: Examine backup logs, Check for error messages, Perform occasional test recoveries, Check the integrity of the data. 2. Explain some of the advantages of using IIS on a DFS-enabled share. Answer: DFS allows you to centralize the network resources in a unified namespace. The logical namespace remains constant even if you move network resources to either a different server or a shared folder. DFS can be used with IIS to make Web site management easier. It can offer better performance and high availability.

Ensuring Web Site Availability with Web Farms

9-39

MCT USE ONLY. STUDENT USE PROHIBITED

3.

Explain the benefits of using shared configurations in a IIS 7.0 Web server enterprise. Answer: Manage Portability: The IIS site configuration is stored in the Web.config file, along with the code and content, making it very easy to move a Web site. A developer or server administrator can control configuration and to deploy from a test or dev machine straight to the server. Another aspect of portability is that environment variables, such as %windir%, can be used in the configuration file. Deploy Replication: Configuration can be pushed out onto multiple servers, with the same settings, the same sites, and the same application pools, to work across a Web farm. Maintain Synchronization: It is important to synchronize changes across a Web server farm. With shared configuration, all the servers will be updated simultaneously. Re-deploy Staged Deployments and Rollback: We need to be able to implement new features across a Web server farm. It is now easy to create versions of configuration and test changes on identically configured servers.

4.

Explain what happens if the file server with the configuration files goes down, but the Web servers remain functional. Answer: The configurations will be cached in memory. Files are copied locally and then used until file server hosting the config files is back online. If the Web server or service is restarted, it will report an invalid config.

5.

Explain some of the advantages of using Network Load Balancing clusters. Answer: It can provide scalability load balancing, and fault tolerance.

Common Issues in Configuring Shared Configuration and Network Load Balancing


Identify the causes for the following common issues related to a particular technology area in the module and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Shared configuration export fails Shared configuration fails NLB fails Troubleshooting tip Make sure the UNC share is configured properly. Make sure you are using the correct password. Make sure servers have correct IP configuration and are on the same subnet.

9-40

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Real-world Issues and Scenarios


1. Margie's Travel is experiencing expanded growth in use of their Web site. In order to meet that demand they decide to add additional Web servers in a Network Load Balancing configuration. How would you recommend to do this? Adventure Works wants to expand their server reliability so they decided to deploy shared configurations for their Web servers. What would be the best way of deploying this?

2.

Best Practices for Shared Configurations and Network Load Balancing


Supplement or modify the following best practices for your own work situations: Before you enable shared configuration Make sure that all the servers have the same components. Verify each machine using Role Manager or registry query.

Before you install a new component in a shared configuration network If it writes to the applicationHost.config, you cant install it with shared config enabled. Take servers offline and update separately. Configure servers as needed before enabling shared config.

Secure the Network Load Balancing systems The NLB subnet must be physically protected from intrusion to avoid interference from unauthorized heartbeat packets. Administration tools that administer NLB clusters can be run from remote workstations. Ensure that the applications are run from trusted computers. Consistently install the same set of modules.

Ensuring Web Site Availability with Web Farms

9-41

MCT USE ONLY. STUDENT USE PROHIBITED

Tools
Tool IIS Manager NLB Manager Use for Managing IIS Server Managing NLB Where to find it Administrative Tools Administrative Tools

MCT USE ONLY. STUDENT USE PROHIBITED

Troubleshooting IIS 7.0 Web Servers

10-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 10
Troubleshooting IIS 7.0 Web Servers
Contents:
Lesson 1: Using IIS 7.0 Logging for Troubleshooting Lesson 2: Troubleshooting Authentication and Authorization Lesson 3: Troubleshooting Communication Lesson 4: Troubleshooting Configuration Lab: Troubleshooting IIS 7.0 Web Servers 10-3 10-10 10-17 10-24 10-28

10-2

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

Logging and tracing are essential to troubleshooting many types of Web server issues. In addition, the new tracing infrastructure allows detailed error messages to help administrators solve problems quickly. In this module, you learn about the supportability enhancements to IIS 7.0 and you will use them to troubleshoot a variety of problems.

Troubleshooting IIS 7.0 Web Servers

10-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:

Using IIS 7.0 Logging for Troubleshooting

Before trying to troubleshoot an issue, it is important to understand logging and the new tracing infrastructure in IIS 7.0. In this module, you will learn about logging, tracing, and the new Failed Request Tracing feature. You will also learn about some best practices for configuring logging.

10-4

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Why Audit IIS Logs?

Key Points
In addition to the Microsoft Windows Server 2008 system and security logs, you should configure IIS to log site visits. When users access your server that is running IIS 7.0, IIS logs the information. The logs provide valuable information that you can use to identify any errors that occur on your Web server. Question: What is logged on a successful visit?

Troubleshooting IIS 7.0 Web Servers

10-5

MCT USE ONLY. STUDENT USE PROHIBITED

How the Tracing Infrastructure Works

Key Points
In IIS 6.0, all of the tracing data was hard-coded into ETW (Event Tracing for Windows), requiring the use of ETW to gather trace logs. With IIS 7.0, this has changed. All tracing is now emitted through a single tracing infrastructure. A custom module can also register for tracing notifications. All tracing is done through the unified pipeline and consumed by two modules that ship with IIS, the ETW trace module and the IIS Failed Request Tracing module. Developers can easily create their own trace events. The modular infrastructure also allows Microsoft to ship updated tracing modules without requiring an operating system upgrade or service pack installation. Question: How are you using tracing in your environment today?

10-6

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

When to Monitor for Critical Errors

Key Points
Request-based tracing provides a great way to figure out what exactly is happening to requests, provided the problem can be reproduced. Problems like poor performance on some requests, authentication related failures, or Server 500 errors from ASP or ASP.NET can be very difficult to troubleshoot unless you have captured the trace of the problem when it occurs. Failed Request Tracing is designed to buffer the trace events for a request and only save them to disk if the request meets the criteria defined by the administrator. Question: What are the scenarios in your organization that you might use Failed Event Tracing for an application?

Troubleshooting IIS 7.0 Web Servers

10-7

MCT USE ONLY. STUDENT USE PROHIBITED

Creating a Failed Request Tracing Rule to Monitor Critical Errors

Key Points
With tracing for failed requests, you can capture an XML formatted log of a problem when it occurs, so that you do not have to reproduce the problem before you start troubleshooting. Additionally, you can define failure conditions for applications and configure which trace events to log on a per-URL basis. Tracing for failed requests is configured at two levels: At the site level, you enable or disable tracing and configure log file settings. At the application level, you specify the failure conditions for capturing the trace events and also configure which trace events should be captured in the log file entries.

Question: How would you configure Failed Event Tracing differently for the life cycle of an application (test, initial deployment, etc.)?

10-8

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Selective Logging for an Application

Key Points
Enable logging for a site when you want IIS to selectively log only certain requests to a site based on configured criteria. As soon as site logging is enabled, you can enable selective logging for any applications on the site. You can also then view the log file to see both which requests are failing and which requests are succeeding. Question: What business requirements for reporting does your organization have that might impact logging for specific applications?

Troubleshooting IIS 7.0 Web Servers

10-9

MCT USE ONLY. STUDENT USE PROHIBITED

Best Practices for Logging

Key Points
Logging can impact performance and resources on the Web server. Use Best Practices to minimize the impact while maintaining useful logs. Question: What best practices are in place for logging in your environment?

10-10

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:

Troubleshooting Authentication and Authorization

For a connection attempt to be accepted, the connection attempt must be both authenticated and authorized. It is possible for the connection attempt to be authenticated by using valid credentials, but not authorized. In this case, the connection attempt is denied. In this lesson, you will learn about common authentication and authorization error messages and how to troubleshoot them using logging and tracing.

Troubleshooting IIS 7.0 Web Servers

10-11

MCT USE ONLY. STUDENT USE PROHIBITED

What are Common Error Messages?

Key Points
HTTP 401 errors are among the most common errors you may have to deal with in IIS. While the causes for these errors can vary greatly, the causes fall into a finite number of categories. Correctly identifying the category of the cause for your HTTP 401 error can decrease the amount of time needed to identify the root cause of the error. Question: What are the different ways in which a 401 error may appear to an enduser? How does it vary depending on IIS setting, browser, and browser settings?

10-12

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Common Causes of Errors

Key Points
When you troubleshoot HTTP 401 errors, the first step should always be to determine the substatus code.
Code 401.1 401.2 Definition Authentication was attempted, but failed. Authentication was not attempted because the server and client could not agree on an authentication protocol. Authentication was successful, but the account that authenticated does not have sufficient permissions to access the requested resource or content.

401.3

Troubleshooting IIS 7.0 Web Servers

10-13

MCT USE ONLY. STUDENT USE PROHIBITED

(continued)
Code 401.4 401.5 Definition An ISAPI filter denied the request. An ISAPI extension or CGI application denied the request.

Question: What is an ACL?

10-14

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Enabling Trace Logging

Key Points
Enable trace logging for failed requests when you want IIS to log information about a request that is failing to serve content from a site or an application. When trace logging for failed requests is enabled, IIS provides targeted logging so that you no longer have to look through a list of irrelevant log entries to find a failed request. Additionally, you do not have to re-create an error in order to troubleshoot it. The trace will contain the identity, the authentication method, and the resources being accessed. Question: How can a trace log help you separate authentication and authorization failures?

Troubleshooting IIS 7.0 Web Servers

10-15

MCT USE ONLY. STUDENT USE PROHIBITED

Auditing IIS Logs for Authentication and Authorization Issues

Key Points
Use logs to find the point of failure in the authentication and authorization process. The distinction between authentication and authorization is important in understanding why connection attempts are either accepted or denied: Authentication is the verification of the credentials of the connection attempt. This process consists of sending the credentials from the remote access client to the remote access server in an either plaintext or encrypted form by using an authentication protocol. Authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication.

Question: Why might you see multiple authentication entries in a log?

10-16

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Examining the Output of Trace Logging

Question: What business process could you put into place to decide what errors to trace?

Troubleshooting IIS 7.0 Web Servers

10-17

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3:

Troubleshooting Communication

When communication between the client and server fails, or is intermittent, it can be difficult to detect on the server. In addition, communication issues between servers can cause Web sites and applications to fail. In this lesson, you will learn about common communication errors, and how to use logs and tools to troubleshoot them.

10-18

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

What are Common Communication Error Messages?

Key Points
When troubleshooting communication issues, you need to determine if the client can communicate with the Web server at all. If the server is responding to the client with a substatus code, then you can troubleshoot the communication from the server side. Question: When would a communication issue look like an authentication error?

Troubleshooting IIS 7.0 Web Servers

10-19

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Common Causes of Communication Errors

Key Points:
The following are the most common communication error messages and their likely causes: 400 (Page not found): This error usually indicates that the client cannot connect to the server. There may be a network issue at the client, or the client is unable to resolve the Web address with DNS. If network and DNS issues are ruled out, make sure that the W3SVC service is started on the server. 503 (Service unavailable): Most likely causes include the application being stopped by Rapid Fail Protection.

10-20

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Connection Reset: This error occurs on the client when the connection is reset by the server. Usually this is because the idle time exceeded the HTTP connection timeout. If the client was not idle, this could be caused by slow or intermittent connectivity, or a proxy or redirection issue.

Question: How might you mitigate a Connection Reset issue with mobile devices through settings on the server?

Troubleshooting IIS 7.0 Web Servers

10-21

MCT USE ONLY. STUDENT USE PROHIBITED

Auditing IIS Logs for Communication Issues

Key Points
Client errors Status codes between 400 and 500 specify an error made by the client, e.g. bad syntax or a request to a resource that doesn't exist. You can try this by requesting a bogus URL from the Web-site of your choice, for example: http://<IIS7Server>/this_resource_does_not_exist. You get a 404 - File not found error.

10-22

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Server errors Status codes starting with 500 are errors caused by the server. The most common causes for 500 errors on IIS systems are An ASP or ASPX page that contains a syntax error The Web server configuration or the application configuration cannot be read or is invalid The site is stopped

Question: When would a log not be helpful in troubleshooting a communication error?

Troubleshooting IIS 7.0 Web Servers

10-23

MCT USE ONLY. STUDENT USE PROHIBITED

Verifying Communication

Key Points
Ping your server If your Web browser returned either the Cannot find server error or The page cannot be displayed error, then use the ping command to test for the following: The name resolution server resolves your IIS Web server's name to its IP address Your server responds to network requests from a remote computer

To ping your server by IP address From a remote computer, in the command prompt, type ping IPaddress

Question: Think of an application running on a server in your current environment. How many other servers (domain controllers, file share, database) are involved in a client request?

10-24

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 4:

Troubleshooting Configuration

Configuration issues can be difficult to diagnose because they can look like other types of errors. In this lesson, you will learn about common configuration errors, and how to use IIS logs, tracing and detailed errors to troubleshoot them.

Troubleshooting IIS 7.0 Web Servers

10-25

MCT USE ONLY. STUDENT USE PROHIBITED

What are Common Configuration Error Messages?

Key Points
Server software and Web servers are very complex and highly configurable systems that support multi-tier applications using a variety of technologies and subsystems. IIS7 strives to improve the experience of diagnosing and solving problems when they do occur. Since configuration problems can appear as other types of errors, knowing how to use the new IIS7 diagnostics features is essential to troubleshooting server problems. Question: Why not enable detailed error messages for all users?

10-26

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Common Causes of Configuration Errors

Key Points
Typically, 403 errors occur when an operation or request is disallowed because a requirement other than proper authentication credentials is not met. 503 errors are generated by the WAS (formerly W3SVC) service, which is responsible for creating IIS worker processes to handle incoming http requests. When WAS fails to create a worker process, it will generate this error. 500 errors indicate an error condition on the server when trying to process the request. Use Failed Request Tracing and detailed error messages to find out the cause. Question: Why not enable detailed error messages for all users?

Troubleshooting IIS 7.0 Web Servers

10-27

MCT USE ONLY. STUDENT USE PROHIBITED

Auditing IIS Logs for Configuration Issues

Key Points
Because of the complexity of configuration errors, making use of all available tools, such as logs, Failed Request Tracing, and detailed error messages will greatly speed the troubleshooting process. Use the tracing logs to pin point the point of failure and detailed error messages for most likely causes and resolutions. Question: How do you troubleshoot configuration issues in your organization?

10-28

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Troubleshooting IIS 7.0 Web Servers

Exercise 1: Troubleshooting Authentication


Scenario
You receive a service request asking to resolve a user issue. The passwordprotected intranet site is accessed by domain users within the company, but is not allowing access to anyone. Using logs and detailed error messages, you must resolve the problem.

Exercise Overview
In this exercise, you will troubleshoot an authentication issue using IIS logs and detailed error messages. This exercises main tasks are: 1. 2. Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator.

Troubleshooting IIS 7.0 Web Servers

10-29

MCT USE ONLY. STUDENT USE PROHIBITED

3. 4. 5. 6. 7.

Browse to http://localhost/salessupport. Examine the log file. Enable Detailed Error Messages. Reproduce the issue and examine the detailed error. Resolve the issue and test functionality.

Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator


Start 6427A-NYC-DC1 and log on as Woodgrovebank\Administrator, password Pa$$w0rd.

Task 2: Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator


Start 6427A-NYC-WEB-E and log on as Woodgrovebank\Administrator, password Pa$$w0rd.

Task 3: Browse to http://localhost/salessupport


On NYC-WEB-E, test functionality by loading http://localhost/salessupport in the browser.

Task 4: Examine the log file


In C:\inetpub\logs\LogFiles\W3SVC1, open the most recent log file and look for the error. Note the substatus.

Task 5: Enable Detailed Error Messages


In IIS Manager, enable Detailed errors for local requests and custom error pages for remote requests.

10-30

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 6: Reproduce the issue and examine the detailed error


In Internet Explorer, browse to http://localhost/salessupport. Examine the detailed error information.

Task 7: Resolve the issue and test functionality


1. 2. Based on the detailed error, modify the configuration in IIS Manager to correct the issue. In Internet Explorer, browse to http://localhost/salessupport to verify that the issue has been corrected.
Results: After this exercise, you should have successfully examined the IIS log files, enabled detailed error messages, and resolved the authentication issue.

Troubleshooting IIS 7.0 Web Servers

10-31

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Troubleshooting Authorization


Scenario
You receive another service request to secure another Web site where all users are able to view the content. You must reproduce the issue, determine the cause, and resolve the issue.

Exercise Overview
In this exercise, you will troubleshoot authorization using Failed Request Tracing. This exercises main tasks are: 1. 2. 3. 4. Browse to http://localhost/salessupport2. Enable Failed Request Tracing and add a rule to trace successful requests. Reproduce the issue and examine the Failed Request Tracing log. Resolve the issue and verify functionality.

Task 1: Browse to http://localhost /salessupport2


On NYC-WEB-E, in Internet Explorer, browse to http://localhost/salessupport2.

Task 2: Enable Failed Request Tracing and add a rule to trace successful requests
In IIS Manager, add a Failed Request Tracing rule to trace successful requests.

10-32

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Reproduce the issue and examine the Failed Request Tracing log
1. 2. In Internet Explorer, browse to http://localhost/salessupport2. Examine the latest failed request tracing log in c:\inetpub\logs \FailedReqLogFiles\W3SVC1. Examine the authorization information in the log.

Task 4: Resolve the issue and verify functionality


Based on the log, modify the configuration in IIS Manager to correct the issue. In Internet Explorer, browse to http://localhost/salessupport2 to verify that the issue has been corrected

Results: After this exercise, you should have successfully enabled failed request tracing, and resolved the authorization issue.

Troubleshooting IIS 7.0 Web Servers

10-33

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Troubleshooting Communication


Scenario
Users are reporting that a Web application is returning an error when they try to browse to it. You must troubleshoot why the Web application cannot open the content.

Exercise Overview
In this exercise, you will troubleshoot communication using tools. This exercises main tasks are: 1. 2. 3. 4. Reproduce the issue. Use Ping to verify communication with the Web server. Enable detailed errors and examine the detailed error. Correct the problem and verify functionality.

Task 1: Reproduce the issue


On NYC-DC1, in Internet Explorer, browse to http://nyc-webe/netapp/content.

Task 2: Use Ping to verify communication with the Web server


At the command prompt, type ping NYC-WEB-E, and then press ENTER.

10-34

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Enable detailed errors and examine the detailed error


1. 2. On NYC-WEB-E, in IIS Manager, enable detailed errors. In Internet Explorer, browse to http://localhost/netapp/content. Examine the detailed error information.

Task 4: Correct the problem and verify functionality


1. 2. On NYC-WEB-E, in IIS Manager, correct the configuration based on the information from the detailed error. In Internet Explorer, browse to http://localhost/netapp/content to verify that the error has been corrected.
Results: After this exercise, you should used ping to verify communication, enabled detailed error messages, and resolved the error.

Troubleshooting IIS 7.0 Web Servers

10-35

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Troubleshooting Configuration


Scenario
Users are reporting they receive multiple errors when trying to view JPG files that previously worked. You know that multiple people have the ability to modify this site including Web.config and related files.

Exercise Overview
In this exercise, you will troubleshoot configuration using detailed error messages. This exercises main tasks are: 1. 2. 3. Reproduce the issue and examine the detailed error message. Examine and correct the web.config file. Verify functionality.

Task 1: Reproduce the issue and examine the detailed error message
1. 2. On NYC-WEB-E, in Internet Explorer, browse to http://localhost/pics/logo.jpg Examine the detailed error information.

Task 2: Examine and correct the web.config file


Open the web.config file located in c:\Pics. Correct the error and save the file based on the information from the detailed error.

Task 3: Verify functionality


In Internet Explorer, browse to http://localhost/pics/logo.jpg.
Results: After this exercise, you should have reproduced the problem, examined the detailed error message, and resolved the error.

10-36

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. 2. What is the difference between custom errors and detailed errors? Why are configuration issues difficult to diagnose?

Troubleshooting IIS 7.0 Web Servers

10-37

MCT USE ONLY. STUDENT USE PROHIBITED

Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring an IIS 7.0 Web Server

L1-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 1: Configuring an Internet Information Services 7.0 Web Server

Lab: Configuring an IIS 7.0 Web Server


Logon Information:
Virtual Machine: NYC-DC1, NYC-SVR1, NYC-SVR2, NYC-SVR3 User Name: LocalAdmin or Administrator Password: Pa$$w0rd Start the 6427A-NYC-DC1 virtual machine

Estimated time: 60 minutes

Exercise 1: Installing IIS using Role Manager


Scenario
You receive a service request from the Enterprise Design Team to prepare three Web servers to host Web sites and Web applications. One of the companies acquired by Woodgrove Bank has a classic ASP application that needs to be hosted in IIS7.

Exercise Overview
In this exercise, you will learn how to install IIS 7.0 using Role Manager. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin. Turn on Network Discovery. Install the Web server role.

L1-2

Module 1: Configuring an Internet Information Services 7.0 Web Server

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin


1. 2. On the Lab Launcher, next to 6427A-NYC-SVR1, click Launch. Log on to NYC-SVR1 as LocalAdmin with the password of Pa$$w0rd.

Task 2: Turn on Network Discovery


1. 2. On NYC-SVR1, click Start | Network. Click the information bar with the text Network discovery and file sharing are turned off. Network computers and devices are not visible. Click to change.... Click Turn on network discovery and file sharing. Click Yes, turn on network discovery and file sharing for all public networks. Close Network.

3. 4. 5.

Task 3: Install the Web server role


1. 2. 3. 4. 5. 6. 7. 8. 9. The Server Manager opens automatically. In the details pane, in the Roles Summary section, click Add roles. The Add Roles Wizard dialog box appears. Click Next. In the Roles box, select Web Server (IIS). The Add Roles Wizard dialog box appears. Click Add Required Features. Click Next twice. In the Roles services box, select ASP. The Add Roles Wizard dialog box appears. Click Add Required Role Services. Click Next and then click Install.

Lab: Configuring an IIS 7.0 Web Server

L1-3

MCT USE ONLY. STUDENT USE PROHIBITED

10. When the installation is complete, click Close. 11. In the console pane, expand Roles. 12. Notice that the Web Server (IIS) role is installed. 13. Click Start | All Programs | Internet Explorer. 14. The Microsoft Windows Internet Explorer window opens. Browse to http://localhost. 15. Notice that the IIS7 Welcome page loads, indicating that IIS is successfully installed and running.
Results: After this exercise you should have successfully verified that the Web Server (IIS) role is installed and loaded the IIS Welcome page in Internet Explorer.

L1-4

Module 1: Configuring an Internet Information Services 7.0 Web Server

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Installing IIS Using Unattended Setup


Scenario
Now you will set up the second IIS Web server to host the new ASP.NET application. You will install IIS by creating an Unattend.XML file based on the example given on the student CD by modifying it to only install the features needed. This will be an ASP.NET application server and will need to have all security, compression and caching features installed so that development can experiment with configuration.

Exercise Overview
In this exercise, you will learn how to install IIS using unattended setup. This exercises main tasks are: 1. 2. 3. 4. Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin. Turn on Network Discovery. Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features. Install IIS using Pkgmgr with the Unattend.XML file and verify once completed.

Task 1: Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin


1. 2. On the Lab Launcher, next to 6427A-NYC-SVR3, click Launch. Log on to NYC-SVR3 as LocalAdmin with the password of Pa$$w0rd.

Task 2: Turn on Network Discovery


1. 2. On NYC-SVR3, click Start | Network. Click the information bar with the text Network discovery and file sharing are turned off. Network computers and devices are not visible. Click to change.... Click Turn on network discovery and file sharing.

3.

Lab: Configuring an IIS 7.0 Web Server

L1-5

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5.

Click Yes, turn on network discovery and file sharing for all public networks. Close Network.

Task 3: Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features
1. 2. 3. 4. 5. 6. Click Start, type Notepad, and then press Enter. The Notepad window opens. On the File menu, click Open. The Open dialog box appears. In the Text Documents list, click All Files. Browse E:\Mod01\Labfiles. Click unattend_all.xml and then click Open. Delete the following lines:
name="IIS-HttpRedirect" state="true"/> name="IIS-ASP" state="true"/> name="IIS-CGI" state="true"/> name="IIS-ISAPIExtensions" state="true"/> name="IIS-ISAPIFilter" state="true"/> name="IIS-IIS6ManagementCompatibility" state="true"/> name="IIS-Metabase" state="true"/> name="IIS-WMICompatibility" state="true"/> name="IIS-LegacyScripts" state="true"/> name="IIS-LegacySnapIn" state="true"/>

<selection <selection <selection <selection <selection <selection <selection <selection <selection <selection

7. 8. 9.

On the File menu, click Save As. The Save As dialog box appears. Type c:\unattend.xml, and then click Save. Close Notepad.

L1-6

Module 1: Configuring an Internet Information Services 7.0 Web Server

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Install IIS using Pkgmgr with the Unattend.XML file and verify once completed
1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, and then click Command Prompt. Type cd \ and then press Enter. Type start /w pkgmgr /n:unattend.xml and then press Enter. When the process completes, type echo %errorlevel% and then press Enter. Note that it may take up to four minutes to complete. Notice that the return code is 0 indicating a successful installation. Type exit, and then press Enter. In Server Manager, in the console pane, expand Roles. Note that you may need to refresh the console. Notice that Web Server (IIS) is installed. Click Start | All Programs | Internet Explorer.

10. The Windows Internet Explorer window opens. Browse to http://localhost. 11. Notice that the IIS Welcome page appears.
Results: After this exercise you should have successfully installed IIS using an unattend file and verified the IIS Welcome page.

Lab: Configuring an IIS 7.0 Web Server

L1-7

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Installing IIS on Server Core from Command Line


Scenario
The final server you will install is a Server Core Web server that will act primarily as a redirection server to the ASP server.

Exercise Overview
In this exercise, you will learn how to install IIS via the command line in a Server Core environment. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator. Disable the firewall. Install IIS from the command line.

Task 1: Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-SVR2, click Launch. Log on to NYC-SVR2 as Administrator with the password of Pa$$w0rd.

Task 2: Disable the firewall


On NYC-SVR2, in the command prompt window, type netsh firewall set opmode disable and press Enter.

L1-8

Module 1: Configuring an Internet Information Services 7.0 Web Server

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Install IIS from the command line


1. Type the following and then press Enter. Note that the feature names are casesensitive: Start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IISCommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IISHttpErrors;IIS-HttpRedirect;WAS-WindowsActivationService;WASProcessModel 2. 3. 4. 5. When the process completes, type echo %errorlevel%, and then press Enter. Note that it may take up to two minutes to complete. Notice that the return code is 0 indicating a successful installation. On NYC-SVR1, in Internet Explorer, browse to http://nyc-svr2. Notice that the IIS Welcome page loads, indicating that the Web server role on NYC-SVR2 is installed and functioning.
Results: After this exercise you should have successfully installed IIS on Microsoft Server 2008 Server Core from the command line and verified by loading the IIS Welcome page from another machine running Internet Explorer.

Lab: Configuring an IIS 7.0 Web Server

L1-9

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Configuring IIS and Validating Functionality


Scenario
With the three Web servers installed, configure each as necessary to perform its function.

Exercise Overview
In this exercise, you will configure common IIS features and validate functionality. This exercises main tasks are: 1. 2. Configure NYC-SVR1 for ASP debugging, detailed error messages, HTTP compression and SMTP Service. Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression. Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1.

3.

Task 1: Configure NYC-SVR1 for ASP debugging, detailed error messages, and HTTP compression
1. 2. 3. 4. 5. 6. 7. 8. On NYC-SVR1, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-SVR1 | Sites, and then click Default Web Site. In the details pane, double-click ASP. In the Compilation section, expand Debugging Properties. In the Enable Client-side Debugging list, click True. In the Enable Server-side Debugging list, click True. In the Send Errors to Browser list, click True. In the Actions pane, click Apply.

L1-10

Module 1: Configuring an Internet Information Services 7.0 Web Server

MCT USE ONLY. STUDENT USE PROHIBITED

9.

In the Connections pane, click Default Web Site.

10. In the details pane, double-click HTTP Response Headers. 11. In the Actions pane, click Set Common Headers. 12. The Set Common HTTP Response Headers dialog box appears. Select Expire Web content, and then click OK. 13. In the Connections pane, click Default Web Site. 14. In the details pane, double-click Compression. 15. Notice that Enable static content compression is checked. 16. In the Connections pane, click Default Web Site. 17. In the details pane, double-click Error Pages. 18. In the Actions pane, click Edit Feature Settings 19. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click OK. 20. On NYC-SVR3, in the Internet Explorer, browse to http://nycsvr1/default.asp. 21. Notice that you get a detailed HTTP Error 404 page, indicating that the NYCSVR1 web server has been configured properly. Question: How does the Detailed Error page differ from the default Custom error page? Answer: The Detailed Error Page lists trace events and steps for troubleshooting.

Task 2: Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression and SMTP
1. 2. 3. On NYC-SVR3, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-SVR3 | Sites, and then click Default Web Site. In the Actions pane, click Failed Request Tracing.

Lab: Configuring an IIS 7.0 Web Server

L1-11

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7. 8. 9.

The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable, and then click OK. In the details pane, in the IIS section, double-click Failed Request Tracing Rules. In the Actions pane, click Add. The Add Failed Request Tracing Rule dialog box appears. Click Next. In the Status code(s) field, type 500. Select Event severity, and then in the Event severity list, click Critical Error.

10. Click Next and then click Finish. 11. In the Connections pane, click Default Web Site. 12. In the details pane, in the IIS section, double-click Directory Browsing. 13. In the Actions pane, click Enable. 14. In the Connections pane, click Default Web Site. 15. In the details pane, in the IIS section, double-click Authentication. 16. In the details pane, click Windows Authentication. 17. In the Actions pane, click Enable. 18. In the details pane, click ASP.NET Impersonation. 19. In the Actions pane, click Enable. 20. In Server Manager, in the console pane, right-click Roles and then click Add Roles. 21. The Add Roles Wizard dialog box appears. Click Next. 22. Select UDDI Services, and then click Next twice. 23. Select UDDI Services Database and UDDI Services Web Application. 24. The Add Roles Wizard dialog box appears. Click Add Required Role Services, and then click Next. 25. Click Do not require SSL, and then click Next seven times. Click Install. 26. When installation completes, click Close. Note that it may take up to eight minutes to complete.

L1-12

Module 1: Configuring an Internet Information Services 7.0 Web Server

MCT USE ONLY. STUDENT USE PROHIBITED

27. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. 28. In the details pane, in the IIS section, double-click Output Caching. 29. In the Actions pane, click Add. 30. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx. 31. Select User-mode caching and then click OK. 32. In the Connections pane, click Default Web Site. 33. In the details pane, in the ASP.NET section, double-click SMTP E-mail. 34. In the E-mail address field, type NYC-SVR3@WoodgroveBank.com. 35. In SMTP Server field, type SMTP.WoodgroveBank.com. 36. In the Actions pane, click Apply. 37. In Internet Explorer, browse to http://localhost/uddi. 38. Notice the UDDI Services page loads. 39. Browse to http://localhost/aspnet_client. 40. Notice that there is a detailed HTTP Error 500.24. 41. Under Detailed Error Information, right-click C:\inetpub\logs\FailedReqLogFiles, and then click Copy Shortcut. 42. Click Start | Run. Right-click the Open field and then click Paste. 43. Click OK. 44. Double-click W3SVC1. 45. Notice that there is a failed request log for the server error: fr00001.xml.

Lab: Configuring an IIS 7.0 Web Server

L1-13

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1
1. 2. 3. 4. On NYC-SVR2, in the command prompt window, type cd \windows\system32\inetsrv\config and then press Enter. Type edit applicationHost.config and then press Enter. Scroll down to <defaultDocument enabled="true"> (approximately line 169), and change "true" to "false". Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and modify this line to read: <httpRedirect enabled="true" exactDestination="false" childOnly="false" destination="http://10.10.0.24/" /> On the File menu, click Save. On the File menu, click Exit. On NYC-SVR3, in Internet Explorer, browse to http://nyc-svr2. Notice that the IIS 7 Welcome page loads and the address field has changed to http://10.10.0.24. Question: What would be displayed if redirection was not enabled? Answer: Since there is no default document, an error message would be displayed and the address bar would still display http://nyc-svr2. 9. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise you should have successfully configured and verified the configuration of the three web servers.

5. 6. 7. 8.

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring IIS 7.0 Web Sites and Application Pools

L2-15

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2: Configuring IIS 7.0 Web Sites and Application Pools

Lab: Configuring IIS 7.0 Web Sites and Application Pools


Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-A, NYC-SVR1 User Name: Administrator Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Configuring Authentication Types


Scenario
You receive a service request from the Enterprise Design Team to organize the existing NYC-WEB-A server into virtual directories by access level. There will be two access levels: public and restricted. Anyone on the network should be able to access the public content. Only authenticated users should be able to access restricted.

Exercise Overview
In this exercise, you will learn how to create virtual directories and configure anonymous authentication. This exercises main tasks are: 1. 2. 3. 4. 5. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add Basic, Windows Integrated and Digest Security features to the IIS Role. Create a virtual directory named Public. Configure the public virtual directory for anonymous authentication.

L2-16

Module 2: Configuring IIS 7.0 Web Sites and Application Pools

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Start the 6427A-NYC-DC1 virtual machine


On the Lab Launcher, next to 6427A-NYC-DC1 click Launch.

Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-A click Launch. Log on to NYC-WEB-A as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Add Basic, Windows Integrated and Digest Security features to the IIS Role
1. 2. 3. On NYC-WEB-A, in Server Manager, in the console pane, expand Roles and then click Web Server (IIS). Right-click Web Server (IIS) and then click Add Role Services. The Add Role Services dialog box appears. In the Role services box, under Security, select Basic Authentication, Windows Authentication, and Digest Authentication. Click Next and then click Install. When the installation is complete, click Close. In the details pane, in the Role Services section, notice that Basic Authentication, Windows Authentication, and Digest Authentication are listed as Installed.

4. 5. 6.

Task 4: Create a virtual directory named public


1. 2. 3. 4. 5. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-WEB-A | Sites and then click Default Web Site. In the Actions pane, click View Virtual Directories. Click Add Virtual Directory. The Add Virtual Directory dialog box appears. In the Alias field, type Public.

Lab: Configuring IIS 7.0 Web Sites and Application Pools

L2-17

MCT USE ONLY. STUDENT USE PROHIBITED

6. 7. 8. 9.

Next to the Physical path field, click the Browse (...) button. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make New Folder. Type Public, and then click OK. Click OK.

10. Click Start | Computer and then browse to C:\inetpub\wwwroot. 11. Select all, then right-click and then click Copy. 12. Browse to C:\inetpub\public, right-click, and then click Paste.

Task 5: Configure the public virtual directory for anonymous authentication


1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, expand Default Web Site and then click Public. In the details pane, double-click Authentication. Click Anonymous Authentication. Notice that it is enabled. In the Actions pane, click Edit. The Edit Anonymous Authentication Credentials dialog appears. Notice that Specific user is selected and set to IUSR. Click Cancel. In Server Manager, in the console pane, expand Configuration | Local Users and Groups and then click Users. In the details pane, right-click Guest, and then click Properties. The Guest Properties dialog box appears. Clear Account is disabled, and then click OK.

10. Click Start | Administrative Tools | Local Security Policy. 11. The Local Security Policy window opens. In the console pane, expand Local Policies and then click User Rights Assignment. 12. In the details pane, right-click Allow log on locally, and then click Properties. 13. The Allow log on locally Properties dialog appears. Click Add User or Group.

L2-18

Module 2: Configuring IIS 7.0 Web Sites and Application Pools

MCT USE ONLY. STUDENT USE PROHIBITED

14. The Select Users, Computers, or Groups dialog box appears. Click Locations. 15. The Locations dialog box appears. Click NYC-WEB-A, and then click OK. 16. In the Enter the object names to select field, type Guest, and then click OK twice. 17. Close Local Security Policy. 18. Click Start | Switch User. 19. Logon as NYC-WEB-A\Guest with no password. 20. Click Start | All Programs | Internet Explorer. 21. The Windows Internet Explorer window opens. Browse to http:/localhost. Note that weve set the default site to the Public virtual directory so theres no need to use localhost/public. Notice that the IIS7 Welcome page loads. 22. Click Start | Switch User. 23. Log on as Woodgrovebank\Administrator with the password of Pa$$w0rd.
Results: After this exercise, you should have successfully verified that the Web Server (IIS) role is installed and loaded the IIS Welcome page in Internet Explorer.

Lab: Configuring IIS 7.0 Web Sites and Application Pools

L2-19

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Creating a Web Site and Web Application


Scenario
Next you will create two web sites, and two web applications, in the employee and restricted virtual directories, named Woodgrove and Exec respectively. Exec will be a .NET 3.0 application. You will also delegate administrative access to ITAdmins_WoodgroveGG.

Exercise Overview
In this exercise, you will learn how to create web sites and applications. This exercises main tasks are: 1. 2. 3. 4. Create a site named Woodgrove. Copy the Woodgrove application to the appropriate directory. Add the .NET 3.0 Feature to the server. Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG.

Task 1: Create a site named Woodgrove


1. 2. 3. 4. 5. 6. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, click Sites. In the Actions pane, click Add Web Site. The Add Web Site dialog box appears. In the Site name field, type Woodgrove. In Physical path, click the Browse (...) button. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make New Folder. Type woodgrove, and then click OK.

7. In the Port field, type 88, and then click OK.

L2-20

Module 2: Configuring IIS 7.0 Web Sites and Application Pools

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Copy the Woodgrove Application to the Appropriate Directory


1. 2. 3. In Windows Explorer, browse to E:\Mod02\Labfiles\WoodGrove. Select all, then right-click, and then click Copy. Browse to C:\inetpub\woodgrove, right-click, and then click Paste.

Task 3: Add the .NET 3.0 Feature and ASP.NET to the server
1. 2. 3. 4. 5. 6. 7. 8. 9. In Server Manager, in the console pane, click Features. In the details pane, click Add Features. The Add Features Wizard dialog box appears. Select .NET Framework 3.0 Features. The Add Features Wizard dialog box appears. Click Add Required Role Services. Click Next twice. On the Select Role Services page, select ASP.NET. The Add Features Wizard dialog box appears. Click Add Required Role Services. Click Next, and then click Install. When the installation is complete, click Close.

Lab: Configuring IIS 7.0 Web Sites and Application Pools

L2-21

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG


1. 2. 3. 4. 5. 6. Internet Information Services (IIS) Manager, in the Connections pane, expand Sites and then click Woodgrove. In the Actions pane, click Edit Permissions. The woodgrove Properties dialog box appears. Click the Security tab. Click Edit. The Permissions for woodgrove dialog box appears. Click Add. The Select, Users, Computers, or Groups dialog box appears. In the Enter the object names to select field, type ITAdmins_WoodgroveGG, and then click Check Names. Click OK. Next to Full control, select Allow and then click OK twice.
Results: After this exercise, you should have successfully installed .NET 3.0 Framework, ASP.NET, and created the Woodgrove site and copied its content.

7. 8.

L2-22

Module 2: Configuring IIS 7.0 Web Sites and Application Pools

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Creating an Application Pool


Scenario
You will now create a new application pool for temporary applications.

Exercise Overview
In this exercise, you will learn how to create an application pool. This exercises main tasks are: Create an application pool named TempPool.

Task 1: Create an application pool named TempPool


1. 2. 3. 4. 5. On NYC-WEB-A, in Internet Information Services (IIS) Manager, expand NYC-WEB-A and then click Application Pools. In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type TempPool. Click OK. In the details pane, notice that TempPool appears in the list of application pools.
Results: After this exercise, you should have successfully added an application pool named TempPool.

Lab: Configuring IIS 7.0 Web Sites and Application Pools

L2-23

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Configuring an Existing Application Pool


Scenario
Next, you will configure the new application pools according to the needs for the new applications. You will also practice starting, stopping, and recycling the application pools and configuring health settings. You will also rename the Exec and Woodgrove pools to ExecPool and WoodgrovePool.

Exercise Overview
In this exercise, you will configure the application pools and validate functionality. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Rename Woodgrove to WoodgrovePool. Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users. Configure TempPool to use LocalSystem as worker process identity. Stop, start and recycle WoodgrovePool. Configure TempPool for Classic Pipeline Mode. Remove TempPool. Configure Health and Recycling settings for WoodgrovePool.

Task 1: Rename Woodgrove to WoodgrovePool


1. 2. 3. 4. 5. On NYC-WEB-A, in Internet Information Services (IIS) Manager, expand Sites and then click Woodgrove. In the Actions pane, click Basic Settings. The Edit Site dialog box appears. Click Select. The Select Application Pool dialog box appears. In the Application pool list, click TempPool, and then click OK twice. In the Connections pane, click Application Pools.

L2-24

Module 2: Configuring IIS 7.0 Web Sites and Application Pools

MCT USE ONLY. STUDENT USE PROHIBITED

6. 7. 8. 9.

In the details pane, click Woodgrove. In the Actions pane, click Rename. Type WoodgrovePool, and then press Enter. In the Connections pane, click Woodgrove.

10. In the Actions pane, click Basic Settings. 11. The Edit Site dialog box appears. Click Select. 12. The Select Application Pool dialog box appears. In the Application pool list, click WoodgrovePool, and then click OK twice.

Task 2: Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, expand Sites and then click Woodgrove. In the details pane, double-click Authentication. Click Windows Authentication. In the Actions pane, click Enable. In the details pane, click Anonymous Authentication. In the Actions pane, click Disable. On the Lab Launcher, next to 6427A-NYC-SVR1 click Launch. Log on to NYC-SVR1 as LocalAdmin with the password of Pa$$w0rd. Note that this machine is not joined to the domain. Click Start | All Programs | Internet Explorer.

10. The Windows Internet Explorer window opens. Browse to http://nyc-weba.woodgrovebank.com. Notice that the IIS Welcome page appears indicating that the previous anonymous public site configuration is correct.

Lab: Configuring IIS 7.0 Web Sites and Application Pools

L2-25

MCT USE ONLY. STUDENT USE PROHIBITED

11. Browse to http://nyc-web-a.woodgrovebank.com:88. Notice that there is an error message and the page will not load. Windows authentication has failed for this user/machine. Question: Why does Windows authentication fail? Answer: Because NYC-SVR1 is not joined to the Woodgrovebank domain, the user account cannot be authenticated. 12. On NYC-WEB-A, click Start | All Programs | Internet Explorer. 13. The Windows Internet Explorer window opens. Browse to http://localhost:88. Notice that the Woodgrove Bank page appears. Windows authentication is successful.

Task 3: Configure TempPool to use LocalSystem as worker process identity


1. 2. 3. 4. 5. 6. 7. In Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools. In the details pane, click TempPool. In the Actions pane, click Advanced Settings. The Advanced Settings dialog box appears. Under the Process Model section, click Identity. Next to NetworkService, click the Browse (...) button. The Application Pool Identity dialog box appears. In the Built-in account list, click LocalSystem. Click OK twice.

Task 4: Stop, start and recycle WoodgrovePool


1. 2. 3. In the Connections pane, click Application Pools. In the details pane, click WoodgrovePool. In the Actions pane, click Stop.

L2-26

Module 2: Configuring IIS 7.0 Web Sites and Application Pools

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7.

In the details pane, notice that the status of WoodgrovePool changes to Stopped. In the Actions pane, click Start. In the details pane, notice that the status of WoodgrovePool changes to Started. In the Actions pane, click Recycle. WoodgrovePool recycles, however the results may not be visible.

Task 5: Configure TempPool for Classic Pipeline Mode


1. 2. 3. 4. 5. In the Connections pane, click Application Pools. In the details pane, click TempPool. In the Actions pane, click Basic Settings. The Edit Application Pool dialog box appears. In the Managed pipeline mode list, click Classic. Click OK.

Task 6: Remove TempPool


1. 2. 3. 4. In the Connections pane, click Application Pools. In the details pane, click TempPool. In the Actions pane, click Remove. The Confirm Remove dialog box appears. Click Yes.

Lab: Configuring IIS 7.0 Web Sites and Application Pools

L2-27

MCT USE ONLY. STUDENT USE PROHIBITED

Task 7: Configure Health and Recycling settings for WoodgrovePool


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click Application Pools. In the details pane, click WoodgrovePool. In the Actions pane, click Recycling. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number of requests. In the Fixed Number of requests field, type 1000. Click Next. On the Recycling Events to Log page, select Number of requests. Click Finish. In the Actions pane, click Advanced Settings.

10. The Advanced Settings dialog box appears. In the Rapid-Fail Protection section, click Failure Interval (minutes). 11. In the value column, type 10 and then click OK. Close each of the running virtual machines. Do not save changes so they are reset to defaults for the next lab.
Results: After this exercise, you should have successfully configured and verified the configuration of the application pools.

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring IIS 7.0 Application Settings

L3-29

MCT USE ONLY. STUDENT USE PROHIBITED

Module 3: Configuring IIS 7.0 Application Settings

Lab: Configuring IIS 7.0 Application Settings


Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-A User Name: Administrator Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Configuring ASP.NET


Scenario
You receive a service request from the Enterprise Design Team to deploy an application server. You need to add and configure the ASP.NET role service, and Application Server role, on the Web Server. The server will be available from the Internet and Sales Associates will need to log in with the user name sales and password support from their clients sites to get contact information for support. This requires a medium level of security. If there is an error, the error message returned to the client browser should direct the user to contact their district sales manager for login information.

Exercise Overview
In this exercise, you will learn how to add the ASP.NET role service and configure ASP.NET. You will choose and configure the appropriate authentication model, and set up custom error pages to handle HTTP errors.

L3-30

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

This exercises main tasks are: 1. 2. 3. 4. 5. 6. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add ASP.NET and Basic Security features to the IIS Role. Create the SalesSupport application and copy the ASP.NET application files. Configure Basic Security to allow access to authenticated Woodgrovebank domain users. Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors.

Task 1: Start the 6427A-NYC-DC1 virtual machine


On the Lab Launcher, next to 6427A-NYC-DC1 click Launch.

Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-A click Launch. Log on to NYC-WEB-A as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Add ASP.NET and Basic Security features to the IIS Role
1. 2. 3. 4. 5. On NYC-WEB-A, in Server Manager, in the console pane, expand Roles and then click Web Server (IIS). Right-click Web Server (IIS), and then click Add Role Services. The Add Role Services dialog box appears. In the Role services box, under Application Development, select ASP.NET. The Add Role Services box appears. Click Add Required Role Services. In the Role Services box, under Security, select Basic Authentication.

Lab: Configuring IIS 7.0 Application Settings

L3-31

MCT USE ONLY. STUDENT USE PROHIBITED

6. 7. 8.

Click Next, and then click Install. When the installation is complete, click Close. In the details pane, in the Role Services section, notice that ASP.NET and Basic Authentication are listed as Installed.

Task 4: Create the SalesSupport application and copy the ASP.NET application files
1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-WEB-A | Sites and then click Default Web Site. In the Actions pane, click View Applications. Click Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport. Next to the Physical path field, click the Browse (...) button. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then click Make New Folder. Type SalesSupport and then click OK. Click OK.

10. Click Start | Computer and then browse to E:\Mod03\Labfiles\SalesSupport. 11. Select all, then right-click and then click Copy. 12. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.

L3-32

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Configure Basic Security to allow access to authenticated Woodgrovebank domain users
1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, expand Default Web Site and then click SalesSupport. In the details pane, double-click Authentication. Click Anonymous Authentication. In the Actions pane, click Disable. In the details pane, click Basic Authentication. In the Actions pane, click Enable. Click Edit. The Edit Basic Authentication Settings dialog appears. In the Default domain and Realm fields, type woodgrovebank. Click OK.

10. Click Start | All Programs | Internet Explorer. 11. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. 12. The Connect to localhost dialog box appears. Notice that there is a warning about basic authentication and insecure credentials. 13. In the User name field, type yvonne. Note that Yvonne is a marketing account manager with a domain account in the Woodgrovebank domain. 14. In the Password field, type Pa$$w0rd and then click OK. Notice that the Sales Support Resources page loads successfully. 15. Close Internet Explorer. Note that you must close the browser to reset the session so you can try logging in as a different user. 16. Click Start | All Programs | Internet Explorer. 17. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. 18. The Connect to localhost dialog box appears. In the User name field, type bob. Note that Bob does not have a domain account in the Woodgrovebank domain. 19. Leave the Password field blank and then click OK.

Lab: Configuring IIS 7.0 Application Settings

L3-33

MCT USE ONLY. STUDENT USE PROHIBITED

20. Click OK two more times. Notice that you get an HTTP 401.1 Unauthorized error. Note that detailed error messages show up locally by default. 21. Close Internet Explorer.

Task 6: Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors
1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows Explorer, browse to E:\Mod03\Labfiles\WBErrors. Select all, right-click and then click Copy. Browse to C:\inetpub\custerr\en-US, right-click, and then click Paste. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport. In the details pane, double-click Error Pages. In the Actions pane, click Edit Feature Settings. The Edit Error Pages Settings box appears. Click Custom error pages. Click OK. In the details pane, under the Status Code column, click 401.

10. In the Actions pane, click Edit. 11. The Edit Custom Error Page dialog box appears. Click Set. 12. The Set Localized Custom Error Path dialog box appears. In the Relative file path field, delete the existing text and then type 401.aspx. 13. Click OK twice. 14. In the details pane, under the Status Code column click 404. 15. In the Actions pane, click Edit. 16. The Edit Custom Error Page dialog box appears. Click Set. 17. The Set Localized Custom Error Path dialog box appears. In the Relative file path field, delete the existing text and then type Other_Errors.aspx. 18. Click OK twice. Note that in a real world situation, you would repeat these steps for each error that you wanted to assign to a custom error message. 19. Click Start | All Programs | Internet Explorer.

L3-34

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

20. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. 21. The Connect to localhost dialog box appears. In the User name field, type bob. 22. Leave the Password field blank and then click OK three times. Notice that there is now a custom error message directing you to contact your district sales manager. 23. Close Internet Explorer. 24. Click Start | All Programs | Internet Explorer. 25. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport/brokenlink. 26. The Connect to localhost dialog box appears. In the User name field, type yvonne. 27. In the Password field, type Pa$$w0rd and then click OK. If you are prompted, add the site to the allowed list. Notice that you get a custom error that is slightly different. Since the path brokenlink doesnt exist, this is a custom 404 error. 28. Close Internet Explorer.

Tip: If you are having problems verifying your custom error settings, and changes dont seem to be taking effect, be sure to clear the browser cache.

Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, configured Basic authentication, and verified custom error pages in Internet Explorer.

Lab: Configuring IIS 7.0 Application Settings

L3-35

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring ASP.NET Application Development Settings


Scenario
Next you will configure some test settings for the SalesSupport application. The Enterprise Design team is planning on implementing a database to store the support resource data. You will need to enter the provided connection string. You will also rename the cookie that the page uses to SalesSupport. Next you will create a custom control for testing the new configuration. Finally, you will set some application settings and then verify that the application can read them by loading the custom test page.

Exercise Overview
In this exercise, you will learn how to configure ASP.NET application development settings. This exercises main tasks are: 1. 2. 3. 4. Configure ASP.NET Connection Strings to connect to Resources.MDF. Configure ASP.NET Session State settings to rename the cookie to SalesSupport. Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0 Add application settings at Site and Application levels.

L3-36

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Configure ASP.NET Connection Strings to connect to Resources.MDF


1. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, expand Sites | Default Web Site and then click SalesSupport. In the details pane, double-click Connection Strings. In the Actions pane, click Add. The Add Connection String dialog box appears. In the Name field, type LocalResources. Click Custom. In the Custom field delete the existing text and then type data source=.\SQLEXPRESS;AttachDbFileName=e:\mod03\labfiles\resources. mdf;IntegratedSecurity=True Click OK.

2. 3. 4. 5. 6.

7.

Task 2: Configure ASP.NET Session State settings to rename the cookie to SalesSupport
1. 2. 3. 4. In the Connections pane, click SalesSupport. In the details pane, double-click Session State. In the Cookie Settings section, in the Name field, delete the existing text and then type SalesSupport_SessionID. In the Actions pane, click Apply.

Lab: Configuring IIS 7.0 Application Settings

L3-37

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0


1. 2. 3. 4. 5. 6. 7. 8. In the Connections pane, click SalesSupport. In the details pane, double-click Pages and Controls. In the Action pane, click Register Controls. Click Add Custom Control. The Add Custom Control dialog box appears. In the Tag prefix field type Woodgrovebank. In the Namespace field, type TestControls. In the Assembly field, type Version=1.0.0.0. Click OK.

Task 4: Add application settings at site and application levels


1. 2. 3. 4. Click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport/test.aspx. The Connect to localhost dialog box appears. In the User name field, type yvonne. In the Password field, type Pa$$w0rd and then click OK. Notice that the Woodgrove Bank Sales Application Settings Test Page opens. It should report No Application Settings defined. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the details pane, double-click Application Settings. In the Actions pane, click Add. The Add Application Setting dialog box appears. In the Name field, type DefaultLocation. In the Value field, type New York.

10. Click OK.

L3-38

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

11. In Internet Explorer, click the Refresh button. Notice that it now reports DefaultLocation = New York. 12. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport. 13. In the details pane, double-click Application Settings. 14. Notice in the details pane that DefaultLocation is inherited. 15. In the Actions pane, click Add. 16. The Add Application Settings dialog appears. In the Name field, type debug_mode. 17. In the Value field, type true. 18. Click OK. 19. In Internet Explorer, click the Refresh button. Notice that it now reports DefaultLocation = New York and debug_mode = true. Question: How might the application settings be used in real world Web applications? Answer: The application can customize content or actions based on the settings. This gives flexibility to the administrator to customize the application at deployment time. 20. Close Internet Explorer.
Results: After this exercise, you should have configured ASP.NET development settings and verified test page functionality.

Lab: Configuring IIS 7.0 Application Settings

L3-39

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools
Scenario
You will now deploy the SalesSupport application to two new instances. Once instance will be a test deployment with additional testing configuration. Another instance will be for the German division of Woodgrove and will need to be set for German globalization settings. Additionally, you will disable the debug mode for the production version of SalesSupport.

Exercise Overview
In this exercise, you will learn how to create an application pool. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. 8. Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test. Create the applications SalesSupport_De and SalesSupport_Test. Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories. Assign the applications to the appropriate application pools. Configure application pool recycling for unlimited requests. Configure the SalesSupport_Test application pool to record recycled events. Configure the SalesSupport .NET compilation debug setting to False. Configure the SalesSupport_De application globalization settings for Germany.

Task 1: Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test
1. 2. 3. 4. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools. In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type SalesSupport. Click OK.

L3-40

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

5. 6. 7. 8. 9.

In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type SalesSupport_De. Click OK. In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type SalesSupport_Test.

10. Click OK. 11. In the details pane, notice that SalesSupport, SalesSupport_DE, and SalesSupport_Test appear in the list of application pools.

Task 2: Create the applications SalesSupport_De and SalesSupport_Test


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click Default Web Site. In the Actions pane, click View Applications. Click Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport_De. Next to the Physical path field, click the Browse () button. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then click Make New Folder. Type SalesSupport_De and then click OK twice. Click Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport_Test.

10. Next to the Physical path field, click the Browse () button. 11. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then click Make New Folder. 12. Type SalesSupport_Test and then click OK twice. 13. In the details pane, notice that SalesSupport, SalesSupport_DE, and SalesSupport_Test appear in the list of applications.

Lab: Configuring IIS 7.0 Application Settings

L3-41

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories
1. 2. 3. 4. 5. Click Start | Command Prompt. Type cd \inetpub\wwwroot and then press Enter. Type xcopy /e SalesSupport\*.* SalesSupport_De and then press Enter. Type dir SalesSupport_De and then press Enter to confirm that the files were copied. Type xcopy /e SalesSupport\*.* SalesSupport_Test and then press Enter.

Shortcut: Press Up Arrow twice, and then Backspace and change the last few characters of the previous command line to _Test, and then press Enter.

6.

Type dir SalesSupport_Test and then press Enter to confirm that the files were copied.

Task 4: Assign the applications to the appropriate application pools


1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click View Applications. In the details pane, click /SalesSupport. In the Actions pane, click Basic Settings. The Edit Application dialog box appears. Click Select. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport, and then click OK twice. In the details pane, click /SalesSupport_De. In the Actions pane, click Basic Settings. The Edit Application dialog box appears. Click Select.

10. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport_De, and then click OK twice. 11. In the details pane, click /SalesSupport_Test.

L3-42

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

12. In the Actions pane, click Basic Settings. 13. The Edit Application dialog box appears. Click Select. 14. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport_Test, and then click OK twice. 15. In the Connections pane, click SalesSupport_De. 16. In the details pane, double-click Authentication. 17. Click Anonymous Authentication. 18. In the Actions pane, click Disable. 19. In the details pane, click Basic Authentication. 20. In the Actions pane, click Enable. 21. Click Edit. 22. The Edit Basic Authentication Settings dialog appears. In the Default domain and Realm fields, type woodgrovebank. 23. Click OK. 24. In the Connections pane, click SalesSupport_Test. 25. In the details pane, double-click Authentication. 26. Click Anonymous Authentication. 27. In the Actions pane, click Disable. 28. In the details pane, click Basic Authentication. 29. In the Actions pane, click Enable. 30. Click Edit. 31. The Edit Basic Authentication Settings dialog appears. In the Default domain and Realm fields, type woodgrovebank. 32. Click OK.

Lab: Configuring IIS 7.0 Application Settings

L3-43

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Configure production application pool recycling for unlimited requests


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click Application Pools. In the details pane, click SalesSupport. In the Actions pane, click Recycling. The Edit Application Pool Recycling Settings dialog box appears. Clear the Regular time intervals check box, and then click Next. Click Finish. In the details pane, click SalesSupport_De. In the Actions pane, click Recycling. The Edit Application Pool Recycling Settings dialog box appears. Clear Regular time intervals check box, and then click Next. Click Finish.

Task 6: Configure the SalesSupport_Test application pool to record recycled events


1. 2. 3. 4. 5. 6. In the details pane, click SalesSupport_Test. In the Actions pane, click Recycling. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number of requests. In the Fixed number of requests field, type 1024 and then click Next. On the Recycling Events to Log page, select Number of requests, Ondemand, and Configuration changes. Click Finish.

L3-44

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

Task 7: Configure the SalesSupport .NET compilation debug setting to False


1. 2. 3. 4. In the Connections pane, click SalesSupport. In the details pane, double-click .NET Compilation. Under Behavior, in the Debug list, click False. In the Actions pane, click Apply. Question: What is the advantage of disabling the debug setting in .NET compilation? Answer: The compiled code will be smaller and faster without debug code. It is a good idea to use this setting when an application is fully tested and deployed to final production.

Task 8: Configure the SalesSupport_De application globalization settings for Germany


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click SalesSupport_De. In the details pane, double-click .NET Globalization. In the Culture list, click German (Germany) (de-DE). In the UI Culture list, click German (Germany) (de-DE). In the Actions pane, click Apply. Click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. The Connect to localhost dialog box appears. In the User name field, type yvonne. In the Password field, type Pa$$w0rd and then click OK.

10. Open a second tab in Internet Explorer and then browse to http://localhost/salessupport_test.

Lab: Configuring IIS 7.0 Application Settings

L3-45

MCT USE ONLY. STUDENT USE PROHIBITED

11. Open a third tab and then browse to http://localhost/salessupport_de. 12. Right-click the notification area and then click Task Manager. 13. The Task Manager window opens. Click the Processes tab. 14. Under the Image Name column, notice that there are at least three instances of w3wp.exe running, indicating at least three separate application pools. 15. Close Task Manager. 16. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx. Notice that the date is now in dd.mm.yyyy format, the cultural default for Germany. 17. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
Results: After this exercise, you should have successfully deployed multiple applications with separate application pools, configured recycling and debug settings, and configured and verified .Net globalization settings.

L3-46

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Configuring ASP.NET Security


Scenario
Next, you will configure the machine key, .NET trust level, and File and Folder security.

Exercise Overview
In this exercise, you will configure ASP.NET security settings. This exercises main tasks are: 1. 2. 3. 4. 5. Set the machine key of SalesSupport_de. Configure the SalesSupport_Test site for medium trust level. Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page on SalesSupport. Enable Tracing and Logging for the SalesSupport_Test site. Configure Request Filtering so that only ASPX requests are processed.

Task 1: Set the machine key of SalesSupport_de


1. 2. 3. 4. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport_De. In the details pane, double-click Machine Key. In the Actions pane, click Generate Keys. Click Apply.

Task 2: Configure the SalesSupport_Test site for medium trust level


1. 2. 3. 4. In the Connections pane, click SalesSupport_Test. In the details pane, double-click .NET Trust Levels. In the Trust level list, click Medium (web_mediumtrust.config). In the Actions pane, click Apply.

Lab: Configuring IIS 7.0 Application Settings

L3-47

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page in SalesSupport
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click SalesSupport. In the details pane, click the Content View tab at the bottom of the window. Click test.aspx. In the Actions pane, click Edit Permissions. The test.aspx Properties dialog box appears. Click the Security tab. Click Advanced. The Advanced Security Settings for test.aspx dialog box appears. Click Edit. Clear the Include inheritable permissions from this objects parent check box. The Windows Security dialog box appears asking if you want to copy the inherited permissions. Click Copy.

10. Click Users (NYC-WEB-A\Users), and then click Remove. 11. Click Add. 12. The Select User, Computer, or Group dialog box appears. In the Enter the object name to select field, type Network Service. Note that since we have removed Users, we need to specifically allow the Network Service account. The SalesSupport application pool is running under the Network Service account with pass-through authentication. 13. Click Check Names, and then click OK. 14. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next to Full control, select Allow. 15. Click OK. 16. Click Add. 17. The Select User, Computer, or Group dialog box appears. In the Enter the object name to select field, type ITAdmins_WoodgroveGG. 18. Click Check Names, and then click OK. 19. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next to Full control, select Allow.

L3-48

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

20. Click OK four times. 21. In Internet Explorer, browse to http://localhost/salessupport/test.aspx. 22. The Connect to localhost dialog box appears. In the User name field, type yvonne. 23. In the Password field, type Pa$$w0rd and then click OK. 24. Click OK two more times. Notice that Yvonne no longer has access to test.aspx. 25. Click the Refresh button. 26. The Connect to localhost dialog box appears. In the User name field, type betsy. Note that Betsy is a member of the ITAdmins_WoodgroveGG security group. 27. In the Password field, type Pa$$w0rd and then click OK. Notice that Betsy has access to the page. 28. Close Internet Explorer.

Task 4: Enable Tracing and Logging for the SalesSupport_Test site


1. 2. 3. 4. 5. 6. 7. 8. 9. In Server Manager, in the console pane, expand Roles and then click Web Server (IIS). Right click Web Server (IIS), and then click Add Role Services. The Add Role Services dialog box appears. Select Health and Diagnostics to select all of the Health and Diagnostics services. Click Next, and then click Install. When the installation completes, click Close. Click Start, type Notepad and then press Enter. The Notepad window opens. On the File menu, click Open. The Open dialog box appears. In the Text Documents list, click All Files. Browse to C:\inetpub\wwwroot\SalesSupport_Test.

10. Click test.aspx, and then click Open.

Lab: Configuring IIS 7.0 Application Settings

L3-49

MCT USE ONLY. STUDENT USE PROHIBITED

11. In the first line of the file, modify the trace=false attribute to read trace=true so that the line reads:
<@ Page Language=C# trace=true %>

12. On the fifth line of the file, type This message should appear between the double quotes, so that the line reads:
Response.Write(This message should appear);

Question: How would an application use tracing? Answer: A developer can add trace commands to the Web application code to record information that can be used for debugging and monitoring. The administrator has the ability to enable or disable tracing as needed. 13. On the File menu, click Save. 14. Close Notepad. 15. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx. 16. If the Connect to localhost dialog box appears, in the User name field, type betsy. 17. In the Password field, type Pa$$w0rd and then click OK. 18. Notice that This message should appear appears at the top of the page. Scroll down and notice that the trace information appears at the bottom of the page. 19. In the Trace Information section, the next to last lines contain the trace messages from the test.aspx file. Notice that the warning message is red. 20. Close Internet Explorer. 21. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. 22. In the Actions pane, click Failed Request Tracing. If Failed Request Tracing does not appear, close and reopen IIS Manager for the added Health and Diagnostics features to appear. 23. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable, and then click OK. 24. In the details pane, double-click Failed Request Tracing Rules.

L3-50

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

25. In the Actions pane, click Add. 26. The Add Failed Request Tracing Rule wizard appears. On the Specify Content to Trace page, click ASP.NET (*.aspx), and then click Next. 27. On the Define Trace Conditions page, in the Status code(s) field, type 200 and then click Next. 28. On the Select Trace Providers page, under Providers, clear all check boxes except ASPNET. 29. Click ASPNET. 30. Under Areas, clear all check boxes except Page. 31. Under Verbosity, notice that it is set to Verbose. 32. Click Finish. 33. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx. 34. If the Connect to localhost dialog box appears, in the User name field, type betsy. 35. In the Password field, type Pa$$w0rd and then click OK. 36. Press CTRL + O. 37. The Open dialog box appears. Click Browse. 38. Browse to C:\inetpub\logs\FailedReqLogFiles\W3SVC1. 39. In the HTML Files list, click All Files. 40. If there is more than one, click the most recent fr######.xml file, and then click Open. 41. Click OK. 42. The failed request log opens. Notice in the Request Summary section the details of the request: App Pool is SalesSupport_Test, Authentication is Basic, User from token is WOODGROVEBANK\betsy. 43. In the Errors and Warnings section, click Expand All. 44. Notice that the warning This is a warning. appears.

Lab: Configuring IIS 7.0 Application Settings

L3-51

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Configure Request Filtering so that only ASPX requests are processed
1. In Internet Explorer, browse to http://localhost/welcome.png. Notice that the IIS7 graphic appears. 2. Browse to http://localhost/iisstart.htm. Notice that the IIS7 Welcome page appears. 3. 4. 5. 6. 7. 8. 9. Close Internet Explorer. Click Start, type Notepad and then press Enter. The Notepad window opens. On the File menu click Open. The Open dialog box appears. In the Text Documents list, click All Files. Browse to C:\inetpub\wwwroot. Click web.config, and then click Open. After the sixth line, <system.webServer>, press Enter and then add the following security section:
<security> <requestFiltering> <fileExtensions allowUnlisted="false" > <add fileExtension=".aspx" allowed="true"/> </fileExtensions> </requestFiltering> </security>

Question: How could you disable only certain extensions, such as .MP3 and .WMA? Answer: Set the allowUnlisted property to true. Add the unallowed file extensions and set their allowed properties to false. 10. On the File menu, click Save. 11. Close Notepad. 12. Click Start | All Programs | Internet Explorer. 13. The Windows Internet Explorer window opens. Browse to http://localhost/welcome.png.

L3-52

Module 3: Configuring IIS 7.0 Application Settings

MCT USE ONLY. STUDENT USE PROHIBITED

14. Notice that HTTP Error 404.7 appears. Detailed error messaging states that The request filtering module is configured to deny the file extension. 15. Browse to http://localhost/iisstart.htm. Notice the same error. 16. Click Start | Command Prompt. 17. Type cd \inetpub\wwwroot and then press Enter. 18. Type copy iisstart.htm *.aspx and then press Enter. 19. Type dir, and then press Enter and notice that the file was copied it iisstart.aspx. 20. In Internet Explorer, browse to http://localhost/iisstart.aspx. Notice that the page with the aspx extension loads without error but the image still does not display. 21. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have successfully configured and verified the configuration of the advanced security settings for ASP.NET.

Lab: Configuring and Editing Modules

L4-53

MCT USE ONLY. STUDENT USE PROHIBITED

Module 4: Configuring IIS 7.0 Modules

Lab: Configuring and Editing Modules


Logon Information:
Virtual Machine: NYC-WEB-B User Name: Woodgrovebank\Administrator Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Configuring and Editing Native Modules


Scenario
You received a service request from the application development team specifying the modules that are required to install, test, and run an application on the specified web server. To reduce the server footprint and vulnerability, you must remove the unnecessary modules.

Exercise Overview
In this exercise, you will learn how to remove native modules from a Web server to improve security and reduce the server footprint. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Backup the current Web server configuration. Examine the modules currently installed on the Web server. Remove the Default Document Module and the Directory Listing Module. Validate that the modules have been removed and test the new server configuration. Restore the modules to the Web server configuration. Validate that the modules have been restored and test the server configuration.

L4-54

Module 4: Configuring IIS 7.0 Modules

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-B, click Launch. Log on to NYC-WEB-B as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 2: Backup the current Web server configuration.


1. 2. 3. 4. 5. On NYC-WEB-B, click Start | Command Prompt. Type cd \windows\system32\inetsrv\ and then press Enter. Type appcmd add backup original and then press Enter. Notice that the AppCmd completes the backup and reports BACKUP object "original" added. Question: When using the appcmd add backup command, where are the backup configuration file placed? Answer: In a new folder, in the C:\Windows\System32\inetserv\backup\ folder.

Task 3: Examine the modules currently installed on the Web server


1. 2. 3. 4. 5. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, click NYC-WEB-B. In the details pane, in the Group by list, click Category. In the details pane, in the Server Components section, double-click Modules. In the Group by list, click Module Type.

Lab: Configuring and Editing Modules

L4-55

MCT USE ONLY. STUDENT USE PROHIBITED

6.

Notice that the DefaultDocumentModule and the DirectoryListingModule entries are listed in the Native Modules section. Question: What do the DefaultDocumentModule and DirectoryListingModules do? Answer: The DefaultDocumentModule offers the functionality of offering the Web browser a default file when a specified folder or directory is specified by the URL. The DirectoryListingModule will supply the Web client with a list of the folder contents, when a folder or directory is specified by the URL.

Task 4: Remove the Default Document Module and the Directory Listing Module
1. 2. 3. 4. 5. 6. 7. In the Connections pane, expand NYC-WEB-B | Sites, and then click Default Web Site. In the Actions pane, click Browse *:80(http). The Windows Internet Explorer window opens. Notice that the Woodgrove Bank page opens as expected. Click Start | Computer and then browse to C:\windows\system32\inetsrv\config\. In the details pane, double-click applicationHost.config. The Notepad window opens. Find the <globalModules> section. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the <globalModules> tag by deleting these two lines:
<add name="DefaultDocumentModule" image= "%windir%\System32\inetsrv\defdoc.dll" /> <add name="DirectoryListingModule" image= "%windir%\System32\inetsrv\dirlist.dll" />

8.

Scroll down to the bottom of the file and find the <system.webServer> section.

L4-56

Module 4: Configuring IIS 7.0 Modules

MCT USE ONLY. STUDENT USE PROHIBITED

9.

Delete the references to the DefaultDocumentModule and the DirectoryListingModule from within the <handlers accessPolicy="Read, Script"> tag by replacing:
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingMod ule" resourceType="Either" requireAccess="Read" />

With the line:


<add name="StaticFile" path="*" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" />

10. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the <modules> tag. Delete the two lines:
<add name="DefaultDocumentModule" lockItem="true" /> <add name="DirectoryListingModule" lockItem="true" />

11. On the File menu, click Save. 12. Close Notepad.

Task 5: Validate that the modules have been removed and test the new server configuration
1. 2. 3. 4. In Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-B. In the details pane, in the Server Components section, double-click Modules. In the Native Modules section, notice that the DefaultDocumentModule and the DirectoryListingModule entries are gone. In Internet Explorer, click the Refresh button. Notice that the Web page is now blank, even though Internet Explorer indicates that it is done loading.

Lab: Configuring and Editing Modules

L4-57

MCT USE ONLY. STUDENT USE PROHIBITED

5.

In Internet Explorer, browse to http://localhost/default.aspx. Notice that the Web page loads after you specify the default document. Question: Why did the Web page get restored after the file name, default.aspx was added to the URL? Answer: The Web server is still completely operational, but no longer offers default documents or directory browsing. So if a full URL is specified, complete with a file name, then the Web server will return that file to the Web client, if available.

Task 6: Restore the modules to the Web server configuration


In the Command Prompt, type appcmd restore backup original and then press Enter. Notice that the AppCmd completes the restore and reports that the original configuration has been restored. Question: After the AppCmd completes the restore, where does it restore the configure files to? Answer: The files are restored to the C:\Windows\System32\inetsrv\config folder.

Task 7: Validate that the modules have been restored and test the server configuration
1. 2. In Internet Explorer, browse to http://localhost/. Click the Refresh button. Notice that the page once again loads properly from the default document. 3. Close Internet Explorer.
Results: After this exercise, you should have successfully removed native modules from a Web server, and then confirmed that the server operates as expected.

L4-58

Module 4: Configuring IIS 7.0 Modules

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring and Editing Managed Modules


Scenario
To increase throughput, it has been determined that output caching would be beneficial on some of the applications on the web server. You need to make sure that the Output Cache module is installed and configured as specified in the service request. The development team also requested the installation of a new Managed Module that provides an additional level of logging for their application.

Exercise Overview
In this exercise, you will learn how to add new managed modules to a Web server. This exercises main tasks are: 1. 2. 3. 4. 5. 6. Install the logging managed module. Confirm the installation of the logging managed module. Test the Web site forms authentication functionality. Examine the modules currently running on the Web server. Remove the forms authentication managed module. Test the new configuration.

Task 1: Install the logging managed module


1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows Explorer, browse to C:\inetpub\. Right-click inetpub, and then click New | Folder. Type logging_module and then press Enter. Browse to E:\Mod04\Labfiles\logging_module. Select all, then right-click and then click Copy. Browse to C:\inetpub\logging_module, right-click, and then click Paste. Browse to C:\inetpub\logging_module\logs\. Right-click logs, and then click Properties. The logs Properties dialog box appears. Click the Security tab.

10. Click Edit.

Lab: Configuring and Editing Modules

L4-59

MCT USE ONLY. STUDENT USE PROHIBITED

11. The Permissions for logs dialog box appears. In the Group or user names section, click Users (NYC-WEB-B\Users). 12. In the Permissions for Users box, next to Modify, select Allow. 13. Click OK twice. 14. In Internet Information Services (IIS) Manager, in the Connections pane, click Sites. 15. In the Actions pane, click Add Web Site. 16. The Add Web Site dialog box appears. In the Site name field, type logging_module. 17. In the Physical path field, type C:\inetpub\logging_module. 18. In the Port field, type 8181. 19. Click OK.

Task 2: Confirm the installation of the logging managed module


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Actions pane, click Browse *:8181 (http). The Windows Internet Explorer window opens. Click Go on to Second Page. Notice that the second page loads. Close Internet Explorer. In Internet Information Services (IIS) Manager, in the Connections pane, click logging_module. In the details pane, in the Server Components section, double-click Modules. In the Managed Modules section, click Logger. In the Actions pane, click Edit. The Edit Managed Module dialog box appears. Notice that the type is listed as HttpLogger. Click Cancel.

10. In Windows Explorer, browse to C:\inetpub\logging_module\logs. 11. Double-click [yyyymmdd].txt.

L4-60

Module 4: Configuring IIS 7.0 Modules

MCT USE ONLY. STUDENT USE PROHIBITED

12. The Notepad window opens. Notice the log entries for http://localhost:8181/default.aspx and http://localhost:8181/second_page.htm. Question: Why does the log file entries have the numbers 8181 listed? Answer: The logging module records the complete URL of the requested Web site files. The logging_module web site was configured to use port number 8181, which is a secondary Web site port. 13. Close Notepad.

Task 3: Test the Web site forms authentication functionality


1. 2. 3. 4. 5. 6. 7. 8. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click Browse *:80 (http). The Windows Internet Explorer window opens. Click Shared Documents. In the Email field, type lmartin@woodgrovebank.com. In the Password field, type Pa$$w0rd. Click Login. If you get the AutoComplete Passwords dialog box, click No. Click Woodgrove Confidential Memo. Notice that the image representing the Woodgrove Confidential Memo appears. 9. Click the Back button.

10. Click Signout. 11. Click Home.

Task 4: Examine the modules currently running on the Web server


1. 2. 3. In the Internet Information Services (IIS) Manager window, in the Connections pane, click NYC-WEB-B. In the details pane, in the Server Components section, double-click Modules. In the Managed Modules section, click OutputCache.

Lab: Configuring and Editing Modules

L4-61

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6.

In the Actions pane, click Edit. The Edit Managed Module dialog box appears. Notice that the module is configured properly and is set to run normally. Click Cancel.

Task 5: Remove the forms authentication managed module


1. 2. 3. 4. 5. In the Connections pane, click Default Web Site. In the details pane, in the Server Components section, double-click Modules. In the Managed Modules section, click FormsAuthentication. In the Actions pane, click Remove. The Confirm Remove dialog box appears. Click Yes.

Task 6: Test the new configuration


1. In the Internet Explorer window, click Shared Documents. Notice that you now get Access is denied error message, indicating that the logon failed because the forms authentication module has been removed. Question: Why is the Access denied error message displayed at this point? Answer: The Access is denied error message indicates that the logon failed because the forms authentication module has been removed. 2. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have successfully added a managed module to the Web server.

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Securing the IIS 7.0 Web Server and Web Sites

L5-63

MCT USE ONLY. STUDENT USE PROHIBITED

Module 5: Securing the IIS 7.0 Web Server and Web Sites

Lab: Securing the IIS 7.0 Web Server and Web Sites
Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-B User Name: Woodgrovebank\Administrator Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Configure a Secure Web Server


Scenario
Additional security measures need to be put in place to protect the Web server. These measures will protect the web server against unauthorized access by specific IP addresses and domains. Additional ISAPI and CGI restrictions need to be put into place. Then you are given a list of accounts authorized for a specific site. You must give separate access to the IT Admin group and the developer, Herbert Dorner.

Exercise Overview
In this exercise, you will be supplied the service request document and the Active Directory account list. Start the exercise by creating a self-signed server certificate. You will then need to set the IP restrictions as outlined in the service request. Then set ISAPI and CGI restrictions. You must run the .NET Framework 1.1 Aspnet_isapi.dll on your Web server. You can follow these steps to set the ASP.NET ISAPI to Allowed in the ISAPI and CGI Restrictions list. Finally, you have to create an application pool that uses .NET Framework 1.1 and that is configured to use ISAPI mode to process requests made to applications in the application pool. Finally, set the Active Directory permissions, as specified in the service request document.

L5-64

Module 5: Securing the IIS 7.0 Web Server and Web Sites

MCT USE ONLY. STUDENT USE PROHIBITED

This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Create a self-signed server certificate for the Web server. Block IP addresses as specified in the service request. Examine the current ISAPI and CGI Restrictions. Install the .NET Framework 1.1. Set ISAPI and CGI restrictions to use ASP.NET version 1.1. Set the rights and permissions for Active Directory users. Validate the new configuration.

Task 1: Start the 6427A-NYC-DC1 virtual machine


On the Lab Launcher, next to 6427A-NYC-DC1, click Launch.

Task 2: Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator.


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-B, click Launch. Log on to NYC-WEB-B as Woodgrovebank\Administrator with the password of Pa$$word.

Task 3: Create a self-signed server certificate for the Web server


1. 2. 3. 4. 5. On NYC-WEB-B, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, click NYC-WEB-B. In the details pane, in the Group by list, click Category. In the details pane, in the Security section, double-click Server Certificates. In the Actions pane, click Create Self-Signed Certificate.

Lab: Securing the IIS 7.0 Web Server and Web Sites

L5-65

MCT USE ONLY. STUDENT USE PROHIBITED

6. 7.

The Create Self-Signed Certificate dialog box appears. In the Specify a friendly name for the certificate field, type woodgrovebank. Click OK. Notice that the new self-signed certificate has been added to the certificate list. Question: What are the advantages and disadvantages of using self-signed certificates? Answer: A self-signed certificate will not provide the security guarantees provided by a CA-signed certificate. If your secure server is being accessed by the public at large, your secure Web server needs a certificate signed by a CA, so that people who visit your website can rely that the website is owned by the organization who claims to own it.

Task 4: Block IP addresses as specified in the service request


1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click NYC-WEB-B. In the details pane, in the Security section, double-click IPv4 Address and Domain Restrictions. In the Actions pane, click Add Deny Entry. The Add Deny Restrictions Rule dialog box appears. In the Specific IPv4 address field, type 10.10.20.1. Click OK. In the Actions pane, click Add Deny Entry. The Add Deny Restrictions Rule dialog box appears. Click IPv4 address range. In the IPv4 address range field, type 10.10.10.0. In the Mask field, type 255.255.255.0.

10. Click OK. Notice that the new IP restrictions have been added to the list. Question: When would you want to use this feature to block IP addresses? Answer: An organization may want to block malicious users or restrict access from a certain domain or location.

L5-66

Module 5: Securing the IIS 7.0 Web Server and Web Sites

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Examine the current ISAPI and CGI Restrictions


1. 2. In the Connections pane, click NYC-WEB-B. In the details pane, in the Security section, double-click ISAPI and CGI Restrictions. Notice that Active Server Pages and ASP.NET v2.0.50727 are the only applications currently listed. 3. 4. 5. 6. 7. 8. In the details pane, click Active Server Pages. In the Actions pane, click Edit. The Edit ISAPI or CGI Restriction dialog box appears. Notice that you can easily edit the ISAPI or CGI path, description, and execution allow. Click Cancel. In the Action pane, click Edit Feature Settings. The Edit ISAPI or CGI Restrictions Settings dialog box appears. While its not a recommended practice, you can easily allow unspecified CGI and ISAPI modules. Click Cancel.

9.

Task 6: Install the .NET Framework 1.1


1. 2. 3. 4. 5. 6. 7. 8. Click Start | Computer and then browse to E:\ Mod05\Labfiles. Double-click dotnetfix.exe. The Microsoft .NET Framework 1.1 Setup dialog box appears, confirming if you want to install the .NET Framework package. Click Yes. The Microsoft .NET Framework 1.1 Setup dialog box appears, asking you to agree to the license agreement. Click I agree. Click Install. When the installation is complete, click OK. Note that it may take about four minutes to complete. In the Windows Explorer window, in the details pane, double-click NDP1.1sp1-KB867460-X86.exe. The Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) dialog box appears, confirming if you want to install the Service Pack. Click OK.

Lab: Securing the IIS 7.0 Web Server and Web Sites

L5-67

MCT USE ONLY. STUDENT USE PROHIBITED

9.

The Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) License Agreement dialog box appears, asking you to agree to the license agreement. Click I accept.

10. When the installation is complete, click OK. Note that it may take about two minutes to complete.

Task 7: Set ISAPI and CGI restrictions to use ASP.NET version 1.1
1. 2. In Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-B. In the details pane, in the Security section, double-click ISAPI and CGI Restrictions. Notice that the ASP.NET v1.1.4322 has been added. 3. 4. 5. 6. In the details pane, click ASP.NET v1.1.4322. In the Actions pane, click Edit. The Edit ISAPI or CGI Restriction dialog box appears. Select Allow extension path to execute, and then click OK. In the Connections pane, expand NYC-WEB-B, and then click Application Pools. Notice that the ASP.NET v1.1 application pool has been added and started.

Task 8: Set the rights and permissions for Active Directory users
1. 2. 3. 4. 5. 6. 7. 8. In Windows Explorer, browse to C:\inetpub\wwwroot\. Right-click wwwroot and then click Properties. The wwwroot Properties dialog box appears. Click the Security tab. Click Edit. The Permissions for wwwroot dialog box appears. Click Add. The Select Users, Computers, or Groups dialog box appears. Click Locations. The Locations dialog box appears. If WoodgroveBank.com is not already highlighted, then in the Location tree, click WoodgroveBank.com. Click OK.

L5-68

Module 5: Securing the IIS 7.0 Web Server and Web Sites

MCT USE ONLY. STUDENT USE PROHIBITED

9.

In the Enter the object names to select field, type ITAdmins_WoodgroveGG and then click Check Names.

10. Click OK. Notice that the Read & execute, List folder contents, and Read options are allowed. 11. Click Add. 12. The Select Users, Computers, or Groups dialog box appears. In the Enter the object names to select field, type Herbert and then click Check Names. 13. Click OK. 14. Next to Full control, select Allow. 15. Click OK.

Task 9: Test and validate the new configuration


1. In the Group or user names field click ITAdmins_WoodgroveGG. Notice that the Read & execute, List folder contents, and Read options are allowed. 2. In the Group or user names field click Herbert Dorner. Notice that the all the options are allowed. 3. Click OK.
Results: After this exercise, you should have successfully set IP restrictions, ISAPI and CGI restrictions, and Active Directory permissions, as specified in a service request document

Lab: Securing the IIS 7.0 Web Server and Web Sites

L5-69

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configure Authorization, Authentication and Access


Scenario
Additional security measures need to be put in place to protect the Web server. An application is protected with forms authentication, but it is discovered that some of the content can bypass forms authentication and still be accessed, such as a jpg, by entering the direct URL path and file name. You must configure the protected content to use the managed forms authentication module.

Exercise Overview
In this exercise, you must reconfigure authentication and authorization so that shared documents folder on the Web server is fully protected by forms authentication. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. 8. 9. Turn off the Web site cache for the shared documents folder. Sign into the Woodgrove Bank Web site and retrieve the confidential memo. Bypass the Web site forms authentication. Modify the applicationHost.config to unlock the URL Authorization <configSections> section by changing the override mode default to allow. Modify the applicationHost.config <applicationPools> section to change the Classic .NET application pool to Integrated mode. Modify the applicationHost.config file to disable all other authentication types except for anonymous. Modify the applicationHost.config file to protect all content by removing the managedHandler precondition from the <system.webServer> section. Reconfigure the authorization and authentication so that the protected content uses forms authentication. Test and validate the new Web site configuration.

L5-70

Module 5: Securing the IIS 7.0 Web Server and Web Sites

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Turn off the Web site cache for the shared documents folder
1. On NYC-WEB-B, in Internet Information Services (IIS) Manager, in the Connections pane, expand NYC-WEB-B | Sites | Default Web Site | docs, and then click shared. In the details pane, in the HTTP Features section, double-click HTTP Response Headers. In the Actions pane, click Add. The Add Custom HTTP Response Header dialog box appears. In the Name field, type Cache-Control. In the Value field, type no-cache and then click OK.

2. 3. 4. 5.

Task 2: Sign into the Woodgrove Bank Web site and retrieve the confidential memo
1. 2. 3. 4. 5. 6. 7. 8. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click Browse *:80 (http). The Windows Internet Explorer window opens. Click Shared Documents. In the Email field, type lmartin@woodgrovebank.com. In the Password field, type Pa$$w0rd. Click Login. If you get the AutoComplete Passwords dialog box, click No. Click Woodgrove Confidential Memo. Notice that the image representing the Woodgrove Confidential Memo appears. 9. Click the Back button.

10. Click Signout.

Lab: Securing the IIS 7.0 Web Server and Web Sites

L5-71

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Bypass the Web site forms authentication


1. In Internet Explorer, browse to http://localhost/docs/shared/Woodgrove_memo.jpg. Notice that the image representing the Woodgrove Confidential Memo appears. Question: Why is the confidential memo being displayed even after the user logs out? Answer: The Web site and directory are not fully protected by forms authentication. 2. Click the Back button.

Task 4: Modify the applicationHost.config to unlock the URL Authorization <configSections> section by changing the override mode default to allow
1. 2. In Windows Explorer, browse to C:\windows\system32\inetsrv\config. In the details pane, double-click applicationHost.config. Unlock the URL Authorization section by changing the override mode default to 'allow'. Do this by modifying the authorization section indicated on the next step. 3. Find the <configSections> section. Find:
<section name="authorization" overrideModeDefault="Allow" />

And replace it with:


<section name="authorization" type="System.WebServer.Configuration.UrlAuthorizationSection, System.ApplicationHost, Version=7.0.0.0, culture=neutral, PublicKeyToken=31bf3856ad364e35" overrideModeDefault="Allow" />

L5-72

Module 5: Securing the IIS 7.0 Web Server and Web Sites

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Modify the applicationHost.config <applicationPools> section to change the Classic .NET application pool to Integrated mode
Change the Classic .NET application pool to Integrated mode by finding the <applicationPools> section and replacing:
<add name="Classic .NET AppPool" managedPipelineMode="Classic" />

With:
<add name="Classic .NET AppPool" managedPipelineMode="Integrated" />

Task 6: Modify the applicationHost.config file to disable all other authentication types except for anonymous
1. 2. Find the <authentication> section. Append:
enabled="false"

To:
clientCertificateMappingAuthentication, digestAuthentication, iisClientCertificateMappingAuthentication, and windowsAuthentication.

Lab: Securing the IIS 7.0 Web Server and Web Sites

L5-73

MCT USE ONLY. STUDENT USE PROHIBITED

Task 7: Modify the applicationHost.config file to protect all content by removing the managedHandler precondition from the <system.webServer> section
1. Remove the preconditions for FormsAuthentication and DefaultAuthentication from the modules section. Do this by finding the <system.webServer> section, and then modifying the lines indicated on the next steps. Replace:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />

2.

With:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />

3.

Replace
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="managedHandler" />

With:
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />

4. 5.

On the File menu, click Save. Close Notepad.

Task 8: Reconfigure the authorization and authentication so that the protected content uses forms authentication
1. 2. 3. 4. In Windows Explorer, browse to C:\inetpub\wwwroot. In the details pane, double-click Web.Config. The Notepad window opens. Find the line <authorization> section. Add the line <allow users="lmartin@woodgrovebank.com" />, above the line <!--<deny users="?" />-->.

L5-74

Module 5: Securing the IIS 7.0 Web Server and Web Sites

MCT USE ONLY. STUDENT USE PROHIBITED

5. 6. 7. 8. 9.

Remove the commenting brackets from the line <!--<deny users="?" />-->, changing it to <deny users="?" />. On the File menu, click Save. Close Notepad. In Internet Information Services (IIS) Manager, in the Connections pane, click shared. In the details pane, in the Security section, double-click Authentication.

10. Click Anonymous Authentication. 11. In the Actions pane, click Disable.

Task 9: Test and validate the new Web site configuration


1. 2. 3. 4. 5. 6. 7. In Internet Explorer, in the Email field, type lmartin@woodgrovebank.com. In the Password field, type Pa$$w0rd. Click Login. Click Woodgrove Confidential Memo. Click the Back button. Click Signout. In Internet Explorer, browse to http://localhost/docs/shared/Woodgrove_memo.jpg. Notice that you are redirected to the login page and that proper authentication is now required to access the Woodgrove Memo file.
Results: After reconfigure the Web sites authorization and authentication, so that all content uses forms authentication and thereby protecting the confidential memo, the only way to obtain the memo is by having the correct credentials.

Lab: Securing the IIS 7.0 Web Server and Web Sites

L5-75

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configure Logging


Scenario
Additional security measures need to be put in place to protect the Web server. You received a service request to keep a log of all visitors to the web server for the past 24 hours. You must enable and configure logging and then test and verify the log.

Exercise Overview
In this exercise, you must configure and test Web site logging operations. This exercises main tasks are: 1. 2. Examine and configure logging options. Test the logging operations.

Task 1: Examine and configure logging options


1. 2. 3. 4. 5. On NYC-WEB-B, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-B. In the details pane, in the Health and Diagnostics section, double-click Logging. Notice that the Log File Rollover Schedule is set for Daily. Select Use local time for file naming and rollover. In the Actions pane, click Apply.

L5-76

Module 5: Securing the IIS 7.0 Web Server and Web Sites

MCT USE ONLY. STUDENT USE PROHIBITED

Task 2: Test the logging operations


1. 2. 3. In Internet Explorer, click the Refresh button. In Windows Explorer, browse to C:\ inetpub\logs\LogFiles\W3SVC1. In the details pane, double-click the newest log file. Notice the most recent log entries at the bottom of the log. Notice that the log entries include a number of lines with the word GET. Question: What does the word GET mean in this log file? Answer: The GET commands indicate requests from the client to the Web server to retrieve the Web pages and images. 4. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After examining the configuration of the Web servers logging settings, the current log file was examined and proven to successfully track the Web servers activity.

Lab: Configuring Delegation and Remote Administration

L6-77

MCT USE ONLY. STUDENT USE PROHIBITED

Module 6: Configuring Delegation and Remote Administration

Lab: Configuring Delegation and Remote Administration


Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-B User Name: Woodgrovebank\Administrator Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Configuring Remote Administration


Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer. A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated.

Exercise Overview
In this exercise you will practice configuring a Web server for remote administration.

L6-78

Module 6: Configuring Delegation and Remote Administration

MCT USE ONLY. STUDENT USE PROHIBITED

This exercises main tasks are: 1. 2. 3. 4. Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Configure NYC-WEB-B for remote administration. Test NYC-WEB-B remote administration.

Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-DC1, click Launch. Log on to NYC-DC1 as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 2: Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-B, click Launch. Log on to NYC-WEB-B as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Configure NYC-WEB-B for remote administration


1. 2. 3. 4. 5. 6. On NYC-WEB-B, in the Server Manager connections pane, click NYC-WEB-B. In the details pane, in the Management section, double-click Management Service. Select Enable remote connections. Click Windows credentials or IIS Manager credentials. In the Actions pane, click Apply. Click Start.

Lab: Configuring Delegation and Remote Administration

L6-79

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Test NYC-WEB-B remote administration


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1 in the Server Manager console pane, click Roles. Right-click Roles, and then click Add Roles. The Add Roles Wizard appears. Click Next. In the Roles box, select Web Server (IIS). The Add Roles Wizard dialog box appears. Click Add Required Features. Click Next twice. In the Role services box, clear all check boxes except for IIS Management Console. Click Next, and then click Install. When the installation completes, click Close.

10. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. 11. In the details pane, click Connect to a server. 12. The Connect to Server wizard appears. In the Server name field, type NYCWEB-B, and then click Next. 13. On the Provide Credentials page, in the User name field, type administrator@woodgrovebank.com. 14. In the Password field, type Pa$$w0rd, and then click Next. 15. The Server Certificate Alert dialog box appears. Click Connect. 16. The Specify a Connection Name dialog box appears. Click Finish. 17. In the Connections pane, expand NYC-WEB-B | Sites and then click Default Web Site. Question: Is the IIS Management Service available for configuration remotely? Answer: No, this service can only be configured locally

L6-80

Module 6: Configuring Delegation and Remote Administration

MCT USE ONLY. STUDENT USE PROHIBITED

18. In the details pane, in the IIS section, double-click Default Document. 19. Click index.htm. 20. In the Actions pane, click Move Up. 21. The Default Document dialog box appears. Click Yes. 22. In the Actions pane, click Move Up.
Results: After completing this exercise, you should have configured the IIS Management Service to accept remote connections and you should have tested a remote connection from NYC-DC1.

Lab: Configuring Delegation and Remote Administration

L6-81

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring Delegated Administration


Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer. A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated.

Exercise Overview
In this exercise you will practice delegating administration of two web sites to the appropriate business owners. This exercises main tasks are: 1. 2. 3. 4. Configure delegated administration for the Human Resources site. Share the Woodgrove sales Web site for Betsy Stadick. Configure delegated administration for the Sales site. Test delegated administration for the Human Resources and Sales sites.

Task 1: Configure delegated administration for the Human Resources site


1. 2. 3. 4. 5. 6. On NYC-WEB-B, click Start | Computer and then browse to E:\Mod06\Labfiles. Right-click WoodgroveHRSite, and then click Share. The File Sharing dialog box appears. Type Herbert and then click Add. Next to Herber Dorner, click Reader, and then click Co-owner. Click Share. The Your folder is shared page appears. Click Done.

L6-82

Module 6: Configuring Delegation and Remote Administration

MCT USE ONLY. STUDENT USE PROHIBITED

7. 8. 9.

In the Internet Information Services (IIS) Manger Connections pane, expand Sites, and then click HR. In the details pane, in the Management section, double-click IIS Manager Permissions. In the Actions pane, click Allow User.

10. The Allow User dialog box appears. In the Windows field, type Herbert and then click OK.

Task 2: Share the Woodgrove Sales Web Site for Betsy Stadick
1. 2. 3. 4. 5. 6. In Windows Explorer, browse to E:\Mod06\Labfiles. Right-click WoodgroveSalesSite, and then click Share. The File Sharing dialog box appears. Type Betsy and then click Add. Next to Betsy Stadick, click Reader and then click Co-owner. Click Share. The Your folder is shared page appears. Click Done.

Task 3: Configure delegated administration for the Sales site


1. 2. 3. 4. 5. 6. Click Start, type Notepad, and then press ENTER. The Notepad window opens. On the File menu, click Open. The Open dialog box appears. In the Text Documents list, click All Files. Browse to C:\windows\system32\intesrv\config. Click applicationHost.config, and then click Open. Scroll down to the <authentication> tag and delete the following text:
<anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication enabled="false" /> <clientCertificateMappingAuthentication /> <digestAuthentication /> <iisClientCertificateMappingAuthentication /> <windowsAuthentication />

7. 8.

On the File menu, click Save. On the File menu, click Open.

Lab: Configuring Delegation and Remote Administration

L6-83

MCT USE ONLY. STUDENT USE PROHIBITED

9.

The Open dialog box appears. Browse to E:\Mod06\Labfiles.

10. Click EnableAnonymousAuthentication.txt, and then click Open. 11. On the Edit menu, click Select All. 12. On the Edit menu, click Copy. 13. On the File menu, click Open. 14. The Open dialog box appears. In the Text Documents list, click All Files. 15. Browse to C:\windows\system32\intesrv\config. 16. Click applicationHost.config, and then click Open. 17. Scroll to the end of the applicationhost.config file and put the cursor on the line before </configuration>. 18. On the Edit menu, click Paste. 19. On the File menu, click Save. 20. Close Notepad.

Task 4: Test delegated administration for the Human Resources and Sales sites
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start | Switch User. Log on as woodgrovebank\herbert with a password of Pa$$w0rd. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. The User Account Control dialog box appears. In the Password field, type Pa$$w0rd, and then click OK. In the details pane, click Connect to a site. The Connect to Site dialog box appears. In the Server name field, type NYCWEB-B. In the Site name field, type HR, and then click Next. The Provide Credentials page appears. In the User name field, type herbert@woodgrovebank.com. In the Password field, type Pa$$w0rd and then click Next.

10. The Server Certificate Alert dialog box appears. Click Connect.

L6-84

Module 6: Configuring Delegation and Remote Administration

MCT USE ONLY. STUDENT USE PROHIBITED

11. The Specify a Connection Name dialog box appears. In the Connection Name field, type Human Resources Site and then click Finish. 12. In the Connections pane, click Start Page. 13. In the details pane, click Connect to a site. 14. The Connect to Site dialog box appears. In the Server name field, type NYCWEB-B. 15. In the Site name dialog box, type Sales, and then click Next. 16. The Provide Credentials page appears. In the User name field, type herbert@woodgrovebank.com. 17. In the Password field, type Pa$$w0rd, and then click Next. 18. The Connect to Site dialog box appears with an error stating that the user is not authorized to connect to the specified computer. Question: Why does this error occur? Answer: This error occurs because Herbert was not granted IIS Manager permission on the Sales site. 19. Click OK. 20. Click Cancel. 21. Close Internet Information Service (IIS) Manager. 22. The Internet Information Service (IIS) Manager dialog box appears, asking if you want to save changes. Click No. 23. Click Start | Switch User. 24. Log on as woodgrovebank\betsy with a password of Pa$$w0rd. 25. Click Start, type Notepad, and then press Enter. 26. The Notepad window opens. On the File menu, click Open. 27. The Open dialog box appears. Browse to E:\Mod06\Labfiles. 28. Click DisableAuthentications, and then click Open. 29. On the Edit menu, click Select All. 30. On the Edit menu, click Copy. 31. On the File menu, click Open.

Lab: Configuring Delegation and Remote Administration

L6-85

MCT USE ONLY. STUDENT USE PROHIBITED

32. The Open dialog box appears. In the File name field, type \\NYC-WEBB\WoodgroveSalesSite\Web.Config and then click Open. 33. Scroll to the end of the Web.Config file and put the cursor on the line before </configuration>. 34. On the Edit menu, click Paste. 35. On the File menu, click Save. 36. Close Notepad. 37. Click Start | Internet Explorer. 38. The Windows Internet Explorer window opens. Browse to http://sales.woodgrovebank.com. 39. Notice error 401 indicating that the user does not have permission to view this page. Question: Why does the server report this error? Answer: The server reports a 401 error because both Anonymous Authentication and Windows Authentication have been disabled. The web server is unable to service a request for a web page if no means for authentication is configured. 40. Click Start, type Notepad, and then press Enter. 41. The Notepad window opens. 42. On the File menu, click Open. 43. The Open dialog box appears. In the File name field, type \\NYC-WEBB\WoodgroveHRSite\Web.Config and then click Open. 44. The Network Error dialog box appears. Click See details and note the resulting error and notice that it says access is denied. 45. Click Cancel twice and then close Notepad.
Results: After completing this exercise, you should have successfully delegated administration for the Human Resources web site to Herbert Dorner and delegated administration for the Sales web site to Betsy Stadick.

L6-86

Module 6: Configuring Delegation and Remote Administration

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring Feature Delegation


Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer. A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated.

Exercise Overview
In this exercise you will practice configuring delegated administration so that all site owners can administer the error messages for their site. This exercises main tasks are: 1. 2. Configure feature delegation for the Human Resources and Sales sites. Test feature delegation for the Human Resources site.

Task 1: Configure feature delegation for the Human Resources and Sales sites
1. 2. 3. 4. On NYC-WEB-B, in the Internet Information Services (IIS) Manger Connections pane, click NYC-WEB-B. In the details pane, in the Management section, double-click Feature Delegation. Click Error Pages. In the Actions pane, click Read/Write.

Task 2: Test feature delegation for the Human Resources site


1. 2. On NYC-DC1, click Start | Switch User, Log on as woodgrovebank\herbert with a password of Pa$$w0rd.

Lab: Configuring Delegation and Remote Administration

L6-87

MCT USE ONLY. STUDENT USE PROHIBITED

3. 4. 5. 6. 7. 8. 9.

Click Start | Administrative Tools | Internet Information Services (IIS) Manager. The User Account Control dialog box appears. In the Password field, type Pa$$w0rd, and then click OK. In the details pane, click Connect to a site. The Connect to Site dialog box appears. In the Server name field, type NYCWEB-B. In the Site name dialog box, type HR, and then click Next. The Provide Credentials page appears. In the User name file, type herbert@woodgrovebank.com. In the Password field, type Pa$$w0rd, and then click Next.

10. The Server Certificate Alert dialog box appears. Click Connect. 11. The Specify a Connection Name dialog box appears. In the Connection Name field, type Human Resources Site and then click Finish. 12. In the Connections pane, click Human Resources Site. 13. In the details pane, in the IIS section, double-click Error Pages. 14. Right-click the line beginning with 404, and then click Edit. 15. The Edit Custom Error Page dialog box appears. Click Execute a URL on this site. 16. In the URL (relative to site root) field, type /ErrorPages/custom404.htm and then click OK. 17. Click Start | Internet Explorer. 18. The Internet Explorer window opens. Browse to http://hr.woodgrovebank.com/missingpage.htm. 19. Note that the custom error page is displayed. 20. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After completing this exercise, you should have successfully configured the Human Resources and Sales sites so that the site owners can customize error pages for each site.

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Using Command-line and Scripting for IIS 7.0

L7-89

MCT USE ONLY. STUDENT USE PROHIBITED

Module 7: Using Command-line and Scripting for IIS 7.0 Administration

Lab: Using Command-line and Scripting for IIS 7.0


Logon Information:
Virtual Machine: NYC-WEB-B User Name: Woodgrovebank\Administrator Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Manage IIS Web Sites with PowerShell


Scenario
The development team requires additional tools to manage their Websites. First you need to make sure that PowerShell will correctly manage the servers services and make sure it can successfully stop and start the Web service.

Exercise Overview
In this exercise, you will learn how to use PowerShell to manage IIS 7.0. This exercises main tasks are: 1. 2. 3. 4. 5. 6. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Use PowerShell to identify all services. Use PowerShell to identify running services that start with a w. Stop the w3svc service using PowerShell. Start the w3svc service using PowerShell. List PowerShell.exe process using the get-wmiobject cmdlet.

L7-90

Module 7: Using Command-line and Scripting for IIS 7.0 Administration

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-B, click Launch. Log on to NYC-WEB-B as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 2: Use PowerShell to identify all services


1. 2. On NYC-WEB-B, click Start | All Programs | Windows PowerShell 1.0 | Windows PowerShell. At the Windows PowerShell prompt, type get-service and then press Enter.

Notice the status, name, and display name of each service.

Task 3: Use PowerShell to identify running services that start with a w


1. 2. Type get-service -include w* | sort-object -property status and then press Enter. Notice the list of services that begin with a w with the stopped services listed first.

Task 4: Stop the w3svc service using PowerShell


1. 2. Type stop-service -servicename w3svc and then press Enter. Type get-service -servicename w3svc and then press Enter

Task 5: Start the w3svc service using PowerShell.


1. 2. Type start-service -servicename w3svc and then press Enter. Type get-service -servicename w3svc and then press Enter.

Lab: Using Command-line and Scripting for IIS 7.0

L7-91

MCT USE ONLY. STUDENT USE PROHIBITED

Task 6: List PowerShell.exe process using the get-wmiobject cmdlet


1. 2. Type Get-WmiObject -query "Select * From Win32_Process Where Name = 'powershell.exe'" and then press Enter. Notice the detailed information for the powershell.exe process. Question: What operating system is listed in the details? Answer: Microsoft Windows Server 2008 Enterprise.
Results: After this exercise, you should have successfully identified, stopped and started services using PowerShell.

L7-92

Module 7: Using Command-line and Scripting for IIS 7.0 Administration

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Use Microsoft.Web.Administration


Scenario
You need to verify that a script will effectively stop and start using MWA. Run the script and then check to make sure that the service is stopped. Then restart the service using the script and verify that it is started.

Exercise Overview
In this exercise, you will learn how to use MWA to execute a script. This exercises main tasks are: 1. 2. 3. 4. Load Microsoft.Web.Administration.dll. Get Website information with MWA. Create a function using MWA to find Websites. Use the findsite function to list the default Website, the default Website ID, and then stop and start the default Website.

Task 1: Load Microsoft.Web.Administration.dll


1. On NYC-WEB-B, in PowerShell, type [System.Reflection.Assembly]::LoadFrom("C:\windows\system32\inetsrv\ Microsoft.Web.Administration.dll") and then press Enter. Notice the GAC, version and location for the Microsoft.Web.Administration.dll, which signifies the DLL file was loaded.

2.

Task 2: Get Website information with MWA


1. 2. 3. 4. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites and then press Enter. Notice the detailed information for the sites on the server. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites | ForEach-Object {$_.Name} and then press Enter. Notice the names of the Websites on the server.

Lab: Using Command-line and Scripting for IIS 7.0

L7-93

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Create a function using MWA to find Websites


Type function findsite {$name=$args[0]; ((New-Object Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name -match $name}); } and then press Enter. Question: This command line didn't return any values. What did it do? Answer: This command line created the command findsite, which integrates the Microsoft.Web.Administration module into an easy-to-use single command.

Task 4: Use the findsite function to list the default Website, the default Website ID, and then stop and start the default Website
1. 2. 3. 4. 5. 6. 7. 8. Type findsite default* and then press Enter. Notice the detailed information for the default Website. Type (findsite default*).ID and then press Enter. Notice the ID for the default Website: 1. Type (findsite default*).Stop() and then press Enter. Notice the status for the default Website is now stopped. Type (findsite default*).Start() and then press Enter. Notice the output is unknown. Question: Why does the command return an output value of unknown? Answer: Because it attempted to start the default Web site without first checking to see if it was stopped or checking the result. 9. Type (findsite default*).State and then press Enter.

10. Notice the status for the default Website is now started.
Results: After this exercise, you should have successfully used Microsoft.Web.Administration to gather Website information and created a function to start and stop the default Website.

L7-94

Module 7: Using Command-line and Scripting for IIS 7.0 Administration

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Automate IIS Administration using Scripts


Scenario
The development team provided you with a script that lists Websites on the server. You need to test and run the script using PowerShell. You also need to deploy several identical Websites using the same default content located on a share. A PowerShell script will be used to automate this task.

Exercise Overview
In this exercise, you will learn how to use a PowerShell scripts. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Create Microsoft.PowerShell profile script to automatically load assemblies. Set execution policy to unrestricted. Add a global variable to profile script. List sites using global variable. Use PowerShell script to find sites. Review and run a script to create a Website. Use PowerShell script to verify site was created.

Lab: Using Command-line and Scripting for IIS 7.0

L7-95

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Create Microsoft.PowerShell profile script to automatically load assemblies


1. On NYC-WEB-B, in PowerShell, type if (test-path $profile) {echo "Path exists."} else {new-item -path $profile -itemtype file -force}; notepad $profile and then press Enter. The Notepad window opens. Type the following:
echo "Microsoft IIS 7.0 Environment Loader" echo "Copyright 2006 Microsoft Corporation. All rights reserved." echo "Loading IIS 7.0 Managed Assemblies" $inetsrvDir = (join-path -path $env:windir -childPath "\system32\inetsrv\") Get-ChildItem -Path (join-path -path $inetsrvDir -childPath "Microsoft*.dll") | ForEach-Object {[System.Reflection.Assembly]::LoadFrom((join-path -path $inetsrvDir -childPath $_.Name))} echo "Assemblies loaded."

2.

3.

On the File menu, click Save.

Task 2: Set execution policy to unrestricted


1. 2. 3. 4. Minimize but do not close Notepad. In Windows PowerShell, type get-executionpolicy and then press Enter. Notice the executionpolicy is set to restricted. Type set-ExecutionPolicy Unrestricted and then press Enter.

Task 3: Add a global variable to profile script


1. 2. 3. In Notepad, at the end of the script, type, new-variable iismgr -value (NewObject Microsoft.Web.Administration.ServerManager) -scope "global". On the File menu, click Save. Minimize but do not close Notepad.

L7-96

Module 7: Using Command-line and Scripting for IIS 7.0 Administration

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: List sites using global variable


1. 2. 3. 4. Close Windows PowerShell and then reopen it. Notice the script information that now executes when you open PowerShell. Type $iismgr.Sites and then press Enter. Notice the site information that is displayed.

Task 5: Use PowerShell script to find sites


1. 2. 3. 4. 5. 6. 7. 8. 9. Close Windows PowerShell. Click Start | Computer, and then browse to E:\Mod07\Labfiles\Scripts. Right-click iis.type.ps1xml, and then click Edit. The Notepad window opens. Review the code. On the File menu, click Save As. The Save As dialog box appears. In the Save as type list, click All Files. Browse to C:\windows\System32\WindowsPowerShell\v1.0 and then click Save. Close Notepad. Restore Notepad, at the end of the script, type the following:
new-variable iissites -value (New-Object Microsoft.Web.Administration.ServerManager).Sites -scope "global" new-variable iisapppools -value (New-Object Microsoft.Web.Administration.ServerManager).ApplicationPools -scope "global" update-typedata -append (join-path -path $PSHome -childPath "iis.types.ps1xml")

10. On the File menu, click Save. 11. Close Notepad.

Lab: Using Command-line and Scripting for IIS 7.0

L7-97

MCT USE ONLY. STUDENT USE PROHIBITED

12. Click Start | All Programs | Windows PowerShell 1.0 | Windows PowerShell. 13. The Windows PowerShell window opens. Type $iissites.Find("^Default*") and then press Enter. 14. Notice the details for the default Website are listed.

Task 6: Review and run a script to create a default Website in PowerShell


1. 2. 3. 4. In Windows Explorer, browse to E:\Mod07\Labfiles\Scripts\CreateWebsite\CreateWebsite\CreateWebsite. Double-click CreateWebsite.cs. The Notepad window opens. Review the code, and then close Notepad. In Windows Explorer, browse to E:\Mod07\Labfiles\Scripts\CreateWebsite\CreateWebsite\CreateWebsite \bin\Debug. Right-click CreateWebsite.exe, and then click Copy. Browse to C:\ and then click Paste. In Windows PowerShell, type c:\CreateWebsite.exe and then press Enter.

5. 6. 7.

Task 7: Use PowerShell script to verify Website was created


1. 2. Type $iissites.Find("^NewSite*") and then press Enter. Notice the details for the new Website are listed.
Results: After this exercise, you should have successfully created a Microsoft.PowerShell profile script. You should have also used a saved script to list Website. Finally, you should have successfully created a site named NewSite.

L7-98

Module 7: Using Command-line and Scripting for IIS 7.0 Administration

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Manage IIS tasks using WMI and AppCmd


Scenario
You need to verify which tasks are running on the server. Use WMI and AppCmd to display the list of running tasks.

Exercise Overview
In this exercise, you will use WMI and AppCmd for IIS administration. This exercises main tasks are: 1. 2. 3. 4. 5. 6. Use AppCmd to identify tasks running on the Web server. Use AppCmd to identify all running application pools. Use AppCmd to recycle all running application pools. Move all applications in a site to NewAppPool application pool. Store configuration information to file, and then restore the configuration information. Use WMI to list the Default Web Site on the Web server.

Task 1: Use AppCmd to identify tasks running on the Web server


1. 2. 3. 4. On NYC-WEB-B, click Start | Command Prompt. Type cd \windows\system32\inetsrv and then press Enter. Type appcmd list wp and then press Enter. Notice this command lists the current running worker processes. If the command doesnt list any results, there arent any worker processes running.

Task 2: Use AppCmd to identify all running application pools


1. 2. Type appcmd list apppool and then press Enter. Notice the currently running application pools are listed.

Lab: Using Command-line and Scripting for IIS 7.0

L7-99

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Use AppCmd to recycle all running application pools


1. 2. Type appcmd list apppool /xml | appcmd recycle apppool /in and then press Enter. Notice the message is displayed DefaultAppPool successfully recycled.

Task 4: Move all applications in a site to NewAppPool application pool


1. 2. Type appcmd list app /site.name:"NewSite" /xml | appcmd set app /in /applicationPool:NewAppPool and then press Enter Notice the following is displayed APP object NewSite/ changed.

Task 5: Store configuration information to file, and then restore the configuration information
1. 2. 3. Type appcmd list config "Default Web Site/" /section:caching /xml /config > config.xml and then press Enter. Type appcmd set config "Default Web Site/" /in < config.xml and then press Enter. Notice the configuration changes were applied to the Default Web Site.

L7-100

Module 7: Using Command-line and Scripting for IIS 7.0 Administration

MCT USE ONLY. STUDENT USE PROHIBITED

Task 6: Use WMI to list the Default Web Site on the Web server
1. 2. Click Start, type Notepad and then press Enter. The Notepad window opens. Type:
Set oIIS = GetObject("winmgmts:root\WebAdministration") Set oSite = oIIS.Get("Site.Name='Default Web Site'") WScript.Echo "Retrieved an instance of Site" WScript.Echo "Name: " & oSite.Name WScript.Echo "ID: " & oSite.ID

3. 4. 5. 6. 7. 8. 9.

On the File menu, click Save. The Save As dialog box appears. In the File name field, type C:\GetSite.vbs. In the Save as type list, click All Files, and then click Save. Close Notepad. From the command prompt, type cd \, and then press Enter. Type cscript //h:cscript, and then press Enter. Notice the default script has been set to cscript.exe.

10. Type getsite.vbs, and then press Enter. 11. Notice the Web site name and ID are displayed. 12. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have successfully used AppCmd to recycle application pools, move application and store configuration information to a file. You should have also successfully identified the default Website using WMI.

Lab: Tuning IIS 7.0 for Improved Performance

L8-101

MCT USE ONLY. STUDENT USE PROHIBITED

Module 8: Tuning IIS 7.0 for Improved Performance

Lab: Tuning IIS 7.0 for Improved Performance


Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-A User Name: Woodgrovebank\Administrator Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Deploying Applications


Scenario
You receive a request to deploy a second copy of an installed application, and then deploy updates to the new installation so that the Enterprise Design QA team can test the proposed updates.

Exercise Overview
In this exercise, students will learn how to deploy an application, as well as application updates, with Xcopy. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add ASP.NET and Dynamic Content Compression features to the IIS Role. Create the SalesSupport application and copy the ASP.NET application files. Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy. Deploy the application updates to SalesSupport2 using Xcopy. Create and assign an application pool for SalesSupport2 and test functionality.

L8-102

Module 8: Tuning IIS 7.0 for Improved Performance

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Start the 6427A-NYC-DC1 virtual machine


On the Lab Launcher, next to 6427A-NYC-DC1 click Launch.

Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-A click Launch. Log on to NYC-WEB-A as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Add ASP.NET and Dynamic Content Compression features to the IIS Role
1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB-A, in Server Manager, in the console pane, expand Roles and then click Web Server (IIS). Right-click Web Server (IIS), and then click Add Role Services. The Add Role Services dialog box appears. In the Role services box, select ASP.NET. The Add Role Services box appears. Click Add Required Role Services. In the Performance section, select Dynamic Content Compression. Click Next and then click Install. When the installation completes, click Close. In the details pane, in the Role Services section, notice that ASP.NET and Dynamic Content Compression are listed as Installed.

Task 4: Create the SalesSupport application and copy the ASP.NET application files
1. 2. 3. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-WEB-A | Sites and then click Default Web Site. In the Actions pane, click View Applications.

Lab: Tuning IIS 7.0 for Improved Performance

L8-103

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7. 8. 9.

Click Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport. Next to the Physical path field, click the Browse (...) button. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then click Make New Folder. Type SalesSupport and then click OK. Click OK.

10. Click Start | Computer and then browse to E:\Mod08\Labfiles\SalesSupport. 11. Select all, then right-click and click Copy. 12. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.

Task 5: Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy
1. 2. 3. 4. 5. Click Start | Command Prompt. Type cd \inetpub\wwwroot and then press Enter. Type md SalesSupport2 and then press Enter. Type xcopy /e SalesSupport\*.* SalesSupport2. Notice that 36 files are copied.

Task 6: Deploy the application updates to SalesSupport2 using Xcopy


1. 2. 3. 4. 5. 6. At the command prompt, type E: and then press Enter. Type cd \Mod08\Labfiles\SalesSupport2 and then press Enter. Type xcopy /e *.* c:\inetpub\wwwroot\salessupport2 and then press Enter. When prompted to overwrite files, press A for all. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click View Applications.

L8-104

Module 8: Tuning IIS 7.0 for Improved Performance

MCT USE ONLY. STUDENT USE PROHIBITED

7. 8. 9.

Click Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport2. Next to the Physical path field, click the Browse (...) button.

10. The Browse For Folder dialog box appears. Browse to C:\inetput\wwwroot\SalesSupport2, and then click OK twice.

Task 7: Create and assign an application pool for SalesSupport2 and test functionality
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click Application Pools. In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type SalesSupport2 and then click OK. In the Connections pane, expand Default Web Site and then click SalesSupport2. In the Actions pane, click Basic Settings. The Edit Application dialog box appears. Click Select. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport2, and then click OK twice. Click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport.

10. Notice that the Woodgrove Bank Sales Support page loads successfully. 11. In Internet Explorer, browse to http://localhost/salessupport2. 12. Notice that the Woodgrove Bank Sales Support page version 2.0 loads successfully.
Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, deployed that SalesSupport2 application, and verified functionality.

Lab: Tuning IIS 7.0 for Improved Performance

L8-105

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring IIS Performance Options


Scenario
Next you will configure performance options for the SalesSupport application. First, you will use Performance Monitor to look at the current machine performance. Then you will configure and test output caching, compression, and throttling.

Exercise Overview
In this exercise, students will learn how to configure IIS Performance Options. This exercises main tasks are: 1. 2. 3. 4. Use Performance Monitor to measure performance. Configure Output Caching. Configure Compression. Configure connection limit throttling.

Task 1: Use Performance Monitor to measure performance


1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-WEB-A, click Start | Administrative Tools | Reliability and Performance Monitor. In the console pane, click Performance Monitor. In the details pane, right-click the graph, and then click Remove All Counters. The Performance Monitor Control dialog box appears. Click OK. Above the graph, click the Add button (green plus). The Add Counters dialog box appears. In the Available counters list, scroll down, and then expand Web Service. Click Bytes Sent/sec. In the Instances of selected object field, click <All instances>. Click Add, and then click OK.

10. With Reliability and Performance monitor running, in Internet Explorer, browse to http://localhost/salessupport/test.aspx.

L8-106

Module 8: Tuning IIS 7.0 for Improved Performance

MCT USE ONLY. STUDENT USE PROHIBITED

11. After the page loads, click Refresh several times rapidly. Notice that the dynamically generated time updates each time you refresh. 12. Close Internet Explorer. 13. In Reliability and Performance Monitor, notice that the graph reflects the throughput. Note that you can right-click the graph and then click Scale Selected Counters to get a better representation. You may need to do this a couple of times to get a zoomed in view of the data.

Task 2: Configure Output Caching


1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport. In the details pane, in the IIS section, double-click Output Caching. In the Actions pane, click Add. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx. Select Kernel-mode caching. Click At time intervals, and then delete the existing text and type 00:00:10. Click OK. Open Internet Explorer, and browse to http://localhost/salessupport/test.aspx. Click Refresh several times rapidly for at least 30 seconds.

10. Notice that the time updates only every 10 seconds after the first couple of loads and that the subsequent loads are much faster. 11. In Internet Explorer, browse to http://localhost/salessupport2/test.aspx. 12. Click Refresh several times rapidly. 13. Notice that the time updates with each load. 14. In Reliability and Performance monitor, compare the two peaks for throughput on the graph. Notice that the first peak has higher throughput than the second.

Lab: Tuning IIS 7.0 for Improved Performance

L8-107

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Configure Compression


1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Explorer, browse to http://localhost. Click Refresh several times rapidly. In Reliability and Performance Monitor, note the throughput on the graph. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the details pane, in the IIS section, double-click Compression. Clear the Enable static content compression check box. In the Actions pane, click Apply. In Internet Explorer, browse to http://localhost. Click Refresh several times rapidly.

10. In Reliability and Performance Monitor, note the throughput on the graph. There should not be much change for static compression. Question: Why does the graph show little or no change? Answer: Static compression is cached. Only the first page load requires processing the compression. 11. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx. 12. Click Refresh several times rapidly. 13. In Reliability and Performance Monitor, note the throughput on the graph. 14. In Internet Information Services (IIS) Manager, in the details pane, select Enable dynamic content compression. 15. In the Actions pane, click Apply. 16. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx. 17. Click Refresh several times rapidly. 18. Close Internet Explorer. 19. In Reliability and Performance Monitor, note the throughput on the graph. The throughput has decreased because dynamic compression negates dynamic output caching.

L8-108

Module 8: Tuning IIS 7.0 for Improved Performance

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Configure connection limit throttling


1. 2. 3. 4. 5. 6. 7. 8. 9. Open Internet Explorer, and browse to http://localhost. Right click the IIS7 tab, and then click New Tab. In the new tab, browse to http://localhost. Repeat to create another new tab, and then browse to http://localhost. You should have three tabs open. Right-click one of the tabs, and then click Refresh All. Notice that all of the tabs refresh successfully. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click Limits.

10. The Edit Web Site Limits dialog box appears. Select Limit number of connections. 11. In the Limit number of connections field, type 1. 12. Click OK. 13. Open Internet Explorer, and browse to http://localhost in three tabs. 14. In Internet Explorer, right-click one of the tabs, and then click Refresh All. 15. Notice that at least one of the tabs now reports Service Unavailable. 16. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
Results: After this exercise, you should have configured performance options and verified functionality.

Lab: Tuning IIS 7.0 for Improved Performance

L8-109

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Managing Application Pools to Improve Performance


Scenario
You will now modify the application pools to improve resource usage.

Exercise Overview
In this exercise, students will learn how to manage application pools to improve performance. This exercises main tasks are: 1. 2. 3. Use Reliability and Performance Monitor to measure resource usage. Recycle an application pool. Assign SalesSupport and SalesSupport2 to the same application pool.

Task 1: Use Reliability and Performance Monitor to measure resource usage


1. 2. 3. 4. 5. 6. On NYC-WEB-A, open Internet Explorer, and browse to http://localhost/salessupport. Open a second tab and browse to http://localhost/salessupport2. In Reliability and Performance Monitor, in the console pane, click Reliability and Performance. In the details pane, expand Memory. Click the Image column heading to sort by image name, and then scroll down to w3wp.exe. Notice that there are two instances running. Note the amount of memory being used by each in the Commit (KB) and Working Set (KB) columns.

Task 2: Recycle an application pool


1. 2. In Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools. In the details pane, click SalesSupport2.

L8-110

Module 8: Tuning IIS 7.0 for Improved Performance

MCT USE ONLY. STUDENT USE PROHIBITED

3. 4. 5.

In the Actions pane, click Recycle. In Reliability and Performance Monitor, notice that one of the w3wp.exe processes consumes less memory. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.

Task 3: Assign SalesSupport and SalesSupport2 to the same application pool


1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport2. In the Actions pane, click Basic Settings. The Edit Application dialog box appears. Click Select. The Select Application Pool dialog box appears. In the Application pool list, click DefaultAppPool. Click OK twice. In the Connections pane, click Application Pools. In the details pane, click SalesSupport2. In the Actions pane, click Remove. The Confirm Remove dialog box appears. Click Yes.

10. Open Internet Explorer, and browse to http://localhost/salessupport. 11. Open a second tab and browse to http://localhost/salessupport2. 12. In Reliability and Performance Monitor, notice that is now only one w3wp.exe process and less total memory consumed. 13. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have recycled and consolidated application pools, and verified resource usage with Reliability and Performance Monitor.

Lab: Ensuring Web Site Availability with Web Farms

L9-111

MCT USE ONLY. STUDENT USE PROHIBITED

Module 9: Ensuring Web Site Availability with Web Farms

Lab: Ensuring Web Site Availability with Web Farms


Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-D, NYC-WEB2 User Name: Woodgrovebank\Administrator Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Backing Up an IIS Web Site


Scenario
The Enterprise Design Team has asked you to explore options for increasing Web site availability. Before you begin, you will back up an existing site and verify that it can be restored properly.

Exercise Overview
In this exercise, students will learn how to back up a Web site. Use the virtual disk drive E: for the backup drive, as a stand-in for a remote storage device. This exercises main tasks are: 1. 2. 3. 4. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator. Backup the Web site, Web application, and config files to the E: drive.

L9-112

Module 9: Ensuring Web Site Availability with Web Farms

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Start the 6427A-NYC-DC1 virtual machine


On the Lab Launcher, next to 6427A-NYC-DC1, click Launch.

Task 2: Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-D, click Launch. Log on to NYC-WEB-D as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB2, click Launch. Log on to NYC-WEB2 as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 4: Backup the Web site, Web application, and config files to the E: drive
1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB-D, click Start | Computer, and then browse to E:. In the File menu, click New | Folder. Type Web Site Backup, and then press Enter. Browse to\\NYC-WEB-D\E\Web Site Backup. Browse to C:\inetpub\wwwroot. In the details pane, select all, right-click, and then click Copy. Browse to \\NYC-WEB-D\E\Web Site Backup, right-click and then click Paste. Notice that the Web site files are now backed up to this shared folder.
Results: After this exercise, you should have successfully backed up a web site.

Lab: Ensuring Web Site Availability with Web Farms

L9-113

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Restoring an IIS Web Site


Scenario
The Enterprise Design Team has asked you to verify that the backups can be restored properly. Do this by restoring the Web files to a second server and confirm that the second server functions properly.

Exercise Overview
In this exercise, students will learn how to restore a Web site. This exercises main task is: Restore the Web site, Web application, and config files from the shared drive.

Task 1: Restore the Web site, Web application, and config files from the shared drive
1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB2, on the desktop, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-WEB2 | Sites, and then click Default Web Site. In the Actions pane, click Browse *:80 (http). The Microsoft Internet Explorer window opens. Notice that the IIS 7.0 default page is displayed. Click Start | Computer, and then browse to C:\inetpub\wwwroot. Notice that the folder contains the two IIS 7.0 default Web site files, iisstart.htm and welcome.png, and the aspnet_client folder. Browse to the networked computer NYC-WEB-D. If the NYC-WEB-D computer is not displayed in the details pane, network discovery may be turned off. Click the notice bar, and then click Turn on network discovery and file sharing.

L9-114

Module 9: Ensuring Web Site Availability with Web Farms

MCT USE ONLY. STUDENT USE PROHIBITED

9.

Browse to\\NYC-WEB-D\E\Web Site Backup.

10. In the details pane, select all, right-click and then click Copy. 11. Browse to C:\inetpub\wwwroot, right-click and then click Paste. 12. If a Copy File dialog box appears, indicating that you are about to overwrite any files or folders, click Copy and Replace. 13. If a Confirm Folder Replace dialog box appears, indicating that you are about to overwrite a folder, click Yes. 14. Notice that the new Web site files are now copied to this location. 15. In Internet Explorer, click the Refresh button. 16. Notice that the Woodgrove Bank Web site has been deployed on the second Web server. Question: What process on the Web server led to the Woodgrove Bank Web site being displayed instead of the IIS 7.0 default Web site? Answer: After the Woodgrove Bank Web site files were copied to the second Web server, the default file default.aspx superseded the file iisstart.htm.
Results: After this exercise, you should have successfully restored a web site to a second server.

Lab: Ensuring Web Site Availability with Web Farms

L9-115

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Enabling Shared Configurations


Scenario
The next step is for increasing Web site availability. Now that you have two identically configured Web servers, implement shared configurations for them.

Exercise Overview
In this exercise, students will learn how to enable shared configuration. This exercises main tasks are: 1. 2. 3. Export and Enable Shared Configuration. Add the second Web server to use the Shared Configuration. Test the Shared Configuration.

Task 1: Export and Enable Shared Configuration


1. 2. 3. 4. 5. On NYC-WEB-D, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, click NYC-WEB-D. In the details pane, in the Management section, double-click Shared Configuration. In the Actions pane, click Export Configuration. The Export Configuration dialog box appears, allowing you to export the local configuration files, settings, and encryption keys. In the Physical Path field, type \\NYC-WEB-D\E. In the Encryption keys password and Confirm password fields, type Pa$$w0rd. Click OK. The Export Configuration dialog box appears indicating that the files were exported successfully. Click OK. In the details pane, select Enable shared configuration.

6. 7. 8. 9.

10. In the Physical Path field, type \\NYC-WEB-D\E.

L9-116

Module 9: Ensuring Web Site Availability with Web Farms

MCT USE ONLY. STUDENT USE PROHIBITED

11. In the User name field, type Woodgrovebank\Administrator. 12. In the Password and Confirm password fields, type Pa$$w0rd. 13. In the Actions pane, click Apply. 14. The Encryption Keys Password dialog box appears for you to enter the encryption key. In the Enter encryption key password field, type Pa$$w0rd. 15. Click OK. 16. The Shared Configuration dialog box appears, indicating that the current encryption keys were backed up. Click OK. 17. The Shared Configuration dialog box appears, indicating that IIS Manager and Management service must be restarted for these changes to be completed. Click OK. 18. Close Internet Information Services (IIS) Manager. 19. Click Start | Administrative Tools Internet Information Services (IIS) Manager. 20. In the Connections pane, click NYC-WEB-D. 21. In the details pane, in the Management section, double-click Management Service. 22. In the Actions pane, click Start.

Task 2: Add the second Web server to use the Shared Configuration
1. 2. 3. 4. 5. 6. On NYC-WEB2, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB2. In the details pane, in the Management section, double-click Shared Configuration. Select Enable shared configuration. In the Physical Path field, type \\NYC-WEB-D\E. In the User name field, type Woodgrovebank\Administrator. In the Password and Confirm password fields, type Pa$$w0rd.

Lab: Ensuring Web Site Availability with Web Farms

L9-117

MCT USE ONLY. STUDENT USE PROHIBITED

7. 8. 9.

In the Actions pane, click Apply. The Encryption Keys Password dialog box appears. In the Enter encryption key password field, type Pa$$w0rd. Click OK.

10. The Shared Configuration dialog box appears, indicating that the current encryption keys were backed up. Click OK. 11. The Shared Configuration dialog box appears, indicating that IIS Manager and Management service must be restarted for these changes to be completed. Click OK. 12. Close Internet Information Services (IIS) Manager. 13. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. 14. In the Connections pane, click NYC-WEB2. 15. In the details pane, in the Management section, double-click Management Service. 16. In the Actions pane, click Start.

L9-118

Module 9: Ensuring Web Site Availability with Web Farms

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Test the Shared Configuration


1. 2. 3. 4. On NYC-WEB-D, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-D. In the details pane, in the IIS section, double-click Default Document. In the Actions pane, click Add. The Add Default Document dialog box appears to allow us to add a default document to test the shared configuration. In the Name field, type test.html and then click OK. On NYC-WEB2, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB2. In the details pane, in the IIS section, double-click Default Document. Notice that the default document test.html has been added to the top of the list for the second Web server as well, Question: Why has the default document test.html has been added to the top of the list for the second Web server as well? Answer: The default document test.html has been added to the top of the list for the second Web because both servers are using shared configuration.
Results: After this exercise, you should have successfully configured a two-server network with an underlying foundation of shared configurations.

5. 6. 7.

Lab: Ensuring Web Site Availability with Web Farms

L9-119

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Configuring Network Load Balancing


Scenario
With the two Web servers set up with Shared Configurations, configure Network Load Balancing to increase Web site availability.

Exercise Overview
In this exercise, students will ensure Web site availability by implementing Network Load Balancing. This exercises main tasks are: 1. 2. 3. 4. Create a new Network Load Balancing cluster. Add the second host to the Network Load Balancing cluster. Add the second server to the Network Load Balancing cluster. Verify Network Load Balancing using NLB commands.

Task 1: Create a new Network Load Balancing cluster


1. 2. 3. On NYC-WEB-D, click Start | Administrative Tools | Network Load Balancing Manager. In the console pane, right-click Network Load Balancing Clusters and then click New Cluster. The New Cluster: Connect dialog box appears. Start the process by connecting to the Network Load Balance host computer. In the Host field, Type NYC-WEB-D, and then click Connect. Make sure the Local Area Connection interface with Interface IP address 10.10.0.21 is highlighted, and then click Next. The New Clusters: Host Parameter page shows the dedicated IP addresses and the initial host state. Click Next. The New Clusters: Cluster IP Addresses page allows you to add cluster IP addresses that are shared by every member of the cluster. Click Add. The Add IP Address dialog box appears, allowing you to add IPv4 or IPv6 addresses to the cluster. In the Add IPv4 address field, type 10.10.0.27. In the Subnet mask field, type 255.255.0.0, and then click OK. Make sure the newly added cluster IP address is highlighted. Click Next.

4. 5. 6. 7. 8. 9.

L9-120

Module 9: Ensuring Web Site Availability with Web Farms

MCT USE ONLY. STUDENT USE PROHIBITED

10. The New Clusters: Cluster Parameters page allows you to modify the operation mode of the cluster IP addresses. In the Full Internet name field, type cluster.woodgrovebank.com. 11. Click Multicast. 12. Click Next. 13. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP address port rules. Click Finish. Wait for the operation to complete before continuing.

Task 2: Add the second host to the Network Load Balancing cluster
1. 2. In the console pane, right-click cluster.woodgrovebank.com and then click Add Host to Cluster. The Add Host to Cluster: Connect dialog box appears. Add the second host computer. In the Host field, Type NYC-WEB2, and then click Connect. Wait for the operation to complete before continuing. Make sure the Local Area Connection interface with Interface IP address 10.10.0.26 is highlighted, and then click Next. The New Clusters: Host Parameter page shows the dedicated IP addresses and the initial host state. Make sure that the Priority (unique host identifier) is 2, and then click Next. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP address port rules. Click Finish. Wait for the operation to complete before continuing.

3. 4.

5.

Task 3: Add the second server to the Network Load Balancing cluster
1. 2. On NYC-WEB2, Click Start, click Administrative Tools, and then click Network Load Balancing Manager. The Network Load Balancing Manager window opens and loads the current cluster. The Warning dialog box appears, presenting a warning about running NLB in Unicast mode. Click OK.

Lab: Ensuring Web Site Availability with Web Farms

L9-121

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Verify Network Load Balancing using NLB commands


1. 2. 3. 4. 5. 6. 7. 8. Click Start | Command Prompt. Type NLB query 10.10.0.27 and then press Enter. Notice that the NLB command indicates that host 2 has entered a converging state with the cluster. On NYC-WEB-D, click Start | Command Prompt. Type NLB query 10.10.0.27 and then press Enter. Notice that the NLB command indicates that host 1 has entered a converging state with the cluster. Type NLB display and then press Enter. The results show very detailed information about the cluster and its current state. Scroll to the top of the displayed information to examine the Configuration section. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have successfully configured network load balancing on a two-server network, with an underlying foundation of shared configurations.

9.

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Troubleshooting IIS 7.0 Web Servers

L10-123

MCT USE ONLY. STUDENT USE PROHIBITED

Module 10: Troubleshooting IIS 7.0 Web Servers

Lab: Troubleshooting IIS 7.0 Web Servers


Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-E User Name: Woodgrovebank\Administrator Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Troubleshooting Authentication


Scenario
You receive a service request asking to resolve a user issue. The passwordprotected intranet site is accessed by domain users within the company, but is not allowing access to anyone. Using logs and detailed error messages, you must resolve the problem.

Exercise Overview
In this exercise, you will troubleshoot an authentication issue using IIS logs and detailed error messages. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator. Browse to http://localhost/salessupport. Examine the log file. Enable Detailed Error Messages. Reproduce the issue and examine the detailed error. Resolve the issue and test functionality.

L10-124

Module 10: Troubleshooting IIS 7.0 Web Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-DC1, click Launch. Log on to NYC-DC1 as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 2: Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator


1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-E, click Launch. Log on to NYC-WEB-E as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Browse to http://localhost/salessupport


1. 2. 3. On NYC-WEB-E, click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. Notice the Server Error: 401 Unauthorized message.

Task 4: Examine the log file


1. 2. 3. 4. Click Start | Computer and then browse to C:\inetpub\logs\LogFiles\W3SVC1. Double-click the most recent log file. The Notepad window opens. Scroll to the far right and examine the last entries in the log file. Notice that the status is 401 and substatus is 2. Close Notepad.

Lab: Troubleshooting IIS 7.0 Web Servers

L10-125

MCT USE ONLY. STUDENT USE PROHIBITED

Task 5: Enable Detailed Error Messages


1. 2. 3. 4. 5. Click Start | Administrative Tools | Internet Information Services (IIS Manager). In the Connections pane, expand NYC-WEB-E | Sites | Default Web Site and then click SalesSupport. In the details pane, in the IIS section, double-click Error Pages. In the Actions pane, click Edit Feature Settings. The Edit Error Pages Settings dialog box appears. Click Detailed errors for local requests and custom error pages for remote requests, and then click OK.

Task 6: Reproduce the issue and examine the detailed error


1. 2. 3. In Internet Explorer, browse to http://localhost/salessupport. Notice the detailed error message reports HTTP Error 401.2 - Unauthorized. Scroll down to Most likely causes. Notice the first cause is No authentication protocol (including anonymous) is selected in IIS.

Task 7: Resolve the issue and test functionality


1. 2. 3. 4. 5. 6. In Internet Information Services (IIS) Manager, click SalesSupport. In the details pane, in the IIS section, double-click Authentication. Notice that all authentication methods are Disabled. In the details pane, click Basic Authentication. In the Actions pane, click Enable. In the details pane, notice that Basic Authentication is Enabled, and all other authentication methods are Disabled.

L10-126

Module 10: Troubleshooting IIS 7.0 Web Servers

MCT USE ONLY. STUDENT USE PROHIBITED

7. 8. 9.

In Internet Explorer, browse to http://localhost/salessupport. Notice that you are prompted for credentials. For User name, type Yvonne. For Password type Pa$$w0rd and then click OK.

10. Notice that the SalesSupport application now loads without error. 11. Close Internet Explorer.
Results: After this exercise, you should have successfully examined the IIS log files, enabled detailed error messages, and resolved the authentication issue.

Lab: Troubleshooting IIS 7.0 Web Servers

L10-127

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Troubleshooting Authorization


Scenario
You receive another service request to secure another Web site where all users are able to view the content. You must reproduce the issue, determine the cause, and resolve the issue.

Exercise Overview
In this exercise, you will troubleshoot authorization using Failed Request Tracing. This exercises main tasks are: 1. 2. 3. 4. Browse to http://localhost/salessupport2. Enable Failed Request Tracing and add a rule to trace successful requests. Reproduce the issue and examine the Failed Request Tracing log. Resolve the issue and verify functionality.

Task 1: Browse to http://localhost /salessupport2


1. 2. 3. On NYC-WEB-E, in Internet Explorer, browse to http://localhost/salessupport2. Notice that you are not prompted for credentials and the page loads without error. Close Internet Explorer.

Task 2: Enable Failed Request Tracing and add a rule to trace successful requests
1. 2. 3. 4. 5. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click Failed Request Tracing. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable, and then click OK. In the Connections pane, click SalesSupport2. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.

L10-128

Module 10: Troubleshooting IIS 7.0 Web Servers

MCT USE ONLY. STUDENT USE PROHIBITED

6. 7. 8.

In the Actions pane, click Add. The Add Failed Request Tracing Rule dialog box appears. Click Next. Under Status code(s), type 200, and then click Next. Question: Why do we use status code 200 for this issue? Answer: Status code 200 is used for a successful page load in IIS. Since the page is loading without error, we must use the status code 200 to trace the issue.

9.

Under Providers, clear ASP and ISAPI Extension. Leave ASPNET and WWW Server checked.

10. Click Finish.

Task 3: Reproduce the issue and examine the Failed Request Tracing log
1. 2. 3. 4. 5. 6. 7. In Internet Explorer, browse to http://localhost/SalesSupport2. In Windows Explorer, browse to c:\inetpub\logs\FailedReqLogFiles\W3SVC1. Double-click fr000001.xml. If prompted to add the site to the Trusted sites zone, click Add twice and then click Close. Under Request Summary, notice that Authentication is anonymous. Click the Compact View tab. Scroll down and examine the lines that begin with AUTH_SUCCEEDED and USER_SET. Notice that the authorized user is . Question: What did we learn from the Failed Request Tracing log? Answer: Anonymous users are being allowed to access the site. Since anonymous authentication happens successfully, users are not being prompted to enter credentials. 8. Close Internet Explorer.

Lab: Troubleshooting IIS 7.0 Web Servers

L10-129

MCT USE ONLY. STUDENT USE PROHIBITED

Task 4: Resolve the issue and verify functionality


1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport2. In the details pane, double-click Authorization Rules. Notice that Anonymous Users are Allowed. In the details pane, in the IIS section, click Anonymous Users. In the Actions pane, click Remove. The Confirm Remove dialog box appears. Click Yes. In the Connections pane, click SalesSupport2. In the details pane, in the IIS section, double-click Authentication. Notice that both Anonymous Authentication and Basic Authentication are Enabled.

10. Click Anonymous Authentication. 11. In the Actions pane, click Disable. 12. In Internet Explorer, browse to http://localhost/salessupport2. 13. Notice that you are prompted for credentials. For User name, type Yvonne. 14. For Password, type Pa$$w0rd and then click OK. 15. Notice that the SalesSupport2 application loads without error. 16. Close Internet Explorer and open it again to create a new session. 17. Browse to http://localhost/salessupport2. 18. When prompted for credentials, leave both fields blank and click OK three times. 19. Notice that you get a 401 Unauthorized message.
Results: After this exercise, you should have successfully enabled failed request tracing, and resolved the authorization issue.

L10-130

Module 10: Troubleshooting IIS 7.0 Web Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Troubleshooting Communication


Scenario
Users are reporting that a Web application is returning an error when they try to browse to it. You must troubleshoot why the Web application cannot open the content.

Exercise Overview
In this exercise, you will troubleshoot communication using tools. This exercises main tasks are: 1. 2. 3. 4. Reproduce the issue. Use Ping to verify communication with the Web server. Enable detailed errors and examine the detailed error. Correct the problem and verify functionality.

Task 1: Reproduce the issue


1. 2. 3. On NYC-DC1, click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://nyc-webe/netapp/content. Notice the 500 Internal server error message.

Task 2: Use Ping to verify communication with the Web server


1. 2. 3. Click Start | Command Prompt. Type ping NYC-WEB-E and then press Enter. Notice that the ping succeeds indicating that NYC-DC1 and NYC-WEB-E are communicating.

Lab: Troubleshooting IIS 7.0 Web Servers

L10-131

MCT USE ONLY. STUDENT USE PROHIBITED

Task 3: Enable detailed errors and examine the detailed error


1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB-E, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-E. In the details pane, in the IIS section, double-click Error Pages. In the Actions pane, click Edit Feature Settings. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click OK. In Internet Explorer, browse to http://localhost/netapp/content. Notice the 500.19 error. Next to Config Error, notice the message Cannot read configuration file because the network path is not found. Next to Config File, notice the path has nyc-weeb-e for the server name.

Task 4: Correct the problem and verify functionality


1. 2. 3. 4. 5. Internet Information Services (IIS) Manager, in the Connections pane, expand NetApp and then click Content. In the Actions pane, click Advanced Settings. The Advanced Settings dialog box appears. In the Physical Path field, modify the path to read \\nyc-web-e\content, and then click OK. In Internet Explorer, browse to http://localhost/netapp/content. Notice that the IIS Welcome page appears and there is no error message.
Results: After this exercise, you should used ping to verify communication, enabled detailed error messages, and resolved the error.

L10-132

Module 10: Troubleshooting IIS 7.0 Web Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Troubleshooting Configuration


Scenario
Users are reporting they receive multiple errors when trying to view JPG files that previously worked. You know that multiple people have the ability to modify this site including Web.config and related files.

Exercise Overview
In this exercise, you will troubleshoot configuration using detailed error messages. This exercises main tasks are: 1. 2. 3. Reproduce the issue and examine the detailed error message. Examine and correct the web.config file. Verify functionality.

Task 1: Reproduce the issue and examine the detailed error message
1. 2. 3. On NYC-WEB-E, in Internet Explorer, browse to http://localhost/pics/logo.jpg. Notice the HTTP Error 404.4 Not Found message. In the Most likely causes section, notice that the most likely cause is The file extension for the requested URL does not have a handler configured to process the request on the Web server.

Task 2: Examine and correct the web.config file


1. 2. 3. In Windows Explorer, browse to C:\Pics. Double-click web.config. On the Windows dialog, click Select a Program from a list of installed programs, and then click OK. Click Notepad, and then click OK.

Lab: Troubleshooting IIS 7.0 Web Servers

L10-133

MCT USE ONLY. STUDENT USE PROHIBITED

4. 5. 6. 7.

The Notepad window opens. Notice that the <handlers> section contains a line for handling static files. Notice that the path attribute is set to *.jgp. Modify the line so that the path attribute correctly reads *.jpg. On the File menu, click Save. Close Notepad.

Task 3: Verify functionality


1. 2. 3. In Internet Explorer, browse to http://localhost/pics/logo.jpg. Notice that the Woodgrove Bank logo now appears successfully. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have reproduced the problem, examined the detailed error message, and resolved the error.

MCT USE ONLY. STUDENT USE PROHIBITED

S-ar putea să vă placă și