Escolar Documentos
Profissional Documentos
Cultura Documentos
Top of Form
/w EPDw UJNjM3M
Search IIS.NET
• Sign In
• Join
•
•
•
•
•
•
•
Home > Learn > Planning Your IIS 7 Architecture > Management Tool Options > Getting Started
with IIS Manager
tobint
• View Profile
Introduction
This IIS Manager overview explains why IIS 7.0 has an entirely new user interface, and then goes
on to describe the look and feel, feature delegation, interaction with configuration, and remoting.
This document was written for Windows Server® 2008. Windows Vista may not have some of
the functionality/features discussed in this document.
The Internet Information Services (IIS) Manager is entirely new in IIS 7.0.
• IIS and ASP.NET work together: IIS 6.0 users right-click on a web site, select "All
Properties", and get a dialog with a number of tabs for different settings. With IIS 7.0, IIS
Manager needed to show configuration for new features like Output Caching, Failed Request
Tracing, and Request Filtering, as well as configuration for ASP.NET and relevant portions of
the .NET Framework. The new functionality would have required many more of new tabs,
an unacceptable option.
• Delegated Administration: Moving our configuration from the metabase to the .NET
configuration system means that users can, if permitted, set IIS configuration in web.config
files. For example, configuration for an application http://www.contoso.com/sales can be
written to the root config file applicationHost.config, to the site http://www.contoso.com/
web.config file, or directly to the application's web.config file. The new IIS Manager has to:
1) allow an administrator to control the configuration permitted in web.config files, 2) show
the administrator/user where configuration is being written. The older IIS Manager was
not up to these challenges.
• Engineering Reasons: Software has a shelf life. Time brings new technologies, new
requirements, new conventions, and there comes a point where updating existing software
becomes more labour intensive and costly that rebuilding the software. IIS Manager was
approaching the end of its shelf life.
Anything else to know? Once we decided to rewrite IIS Manager, we took the opportunity to
improve in a number of key ways:
• Extensibility: Extending the IIS 6.0 version of IIS Manager was prohibitively difficult. The
new IIS Manager makes it much easier to add feature pages, treeview nodes, and menu
items; all using managed code and WinForms. New IIS Manager extensions are
automatically detected and downloaded by remote IIS Manager clients connecting to the
server.
• Remote Administration: Remote administration is all done over HTTPS, making it firewall
friendly and easier to manage. The Web Management Service (WMSVC) is the optionally
installable component that enables remote administration.
• New Look and Feel: The IIS Manager needed a new, more scalable model for exposing
settings, and the resulting feature list view resembles the Control Panel. A list view can be
sorted, grouped, and viewed in different ways, all making it easier to find what you're
looking for. IIS Manager navigation has also taken on a more browser-like feel with an
address bar a la Windows Explorer.
Note: This document was written for Windows Server 2008. Windows Vista® may not have some
of the functionality/features discussed in this document.
Home Page
The Home Page will become very familiar as soon as you start using IIS Manager. The feature list
in the middle can be sorted by feature name or description, grouped by area or category, and
viewed in different layouts.
Figure 2: Grouping in IIS Manager
Feature Scopes
Server, site, application, virtual directory, and folder nodes in the treeview all show a Home Page
with a feature list. Most features appear on Home Pages for all these nodes, but there are
exceptions.
These features appear on the server Home Page only because they are server-wide
configuration, data, or information:
• Membership Users
• Membership Roles
• Profile
• SSL
The features associated with delegation have special rules for where they appear:
• Feature Delegation: always appears only for the root node of a connection
• Administrators: appears only for Server, Site and Application nodes
List Page
List pages contain lists. Most list pages let you group by values in one or more columns. The
main list pages, like Sites and Application Pools, let you to filter the list entries by searching in a
list column for entries that match a search string.
The Add/Edit/Remove tasks in the task pane let you manipulate the contents of the list.
Feature settings that aren't specific to a list entry, e.g. specifying that custom errors should be
overridden by detailed errors for local requests, are generally configured through the Edit
Feature Settings… task.
Figure 4: IIS Manager Actions
Property Grid
Property grid pages show grids of related properties. The Display selector at the top of the
property grid lets you choose whether you would like to view friendly property names, the
configuration property names, or both. The screenshot below shows both names.
Dialog
Dialog pages have checkboxes, textboxes and radio buttons, and are generally the most familiar
type of page. Use Apply/Cancel in the task pane to save changes.
Content View
Content View is a read-only display; you can't create, copy, move, or delete files or folders in this
view. You can get into Content View by clicking "Content View" in the Features View/Content
View switcher at the bottom of the IIS Manager middle pane, or by right-clicking a treeview node
and selecting "Switch to Content View".
The only way to set configuration for a file is to switch to Content View, select the file, and
click "Switch to Features View" in the right-click menu or in the task pane.
Feature Delegation
You might be interested in feature delegation if you are a server administrator and you are not
the primary person providing content on your server, or if you are a developer and you want
more control over IIS configuration for your application.
Configuration Locking
If a configuration section is "locked" by default, it can only be configured in
applicationHost.config. IIS Manager provides a means for server administrators to "unlock" IIS
configuration sections. Once a section of configuration is unlocked, it can be set in web.config
files by non-administrators.
For example, the "Custom Error Pages" feature in IIS Manager interacts with configuration in the
"system.webServer/httpErrors" section. If the server administrator uses IIS Manager or appcmd
to unlock the system.web/httpErrors configuration section, the httpErrors section will appear
inside a location tag with overrideMode="allow" in applicationHost.config:
<system.webServer>
<httpErrors/>
</system.webServer>
</location>
OverrideMode="allow" means that it's valid to set configuration for httpErrors in a web.config file:
<configuration>
<system.webServer>
<httpErrors>
</httpErrors>
</system.webServer>
</configuration>
See the "Server, Site and Application Connections" section below to see how configuration
locking affects connections. For in-depth information on configuration locks, see How To Use
Configuration Locking.
• Manage unlocked configuration for their site or application (settings are written into
web.config files)
• View locked configuration settings without being able to modify them
• Add other site or application administrators for their site or application
For information on how to create site and application administrators, see the online
documentation Create Site and Application Administrators for Delegation.
Machine administrators and designated Site Administrators can connect to web sites. Site
connections can only write to web.config files under the site's root folder. If a
configuration section is locked in applicationHost.config, the corresponding feature will appear
read-only in site connections because site connections cannot write configuration to
applicationHost.config (even in a location tag). This affects both machine administrators and Site
Administrators.
Machine administrators, designated Application Administrators, and Site Administrators for the
application's parent site, can connect to an application. Application connections can only
write to web.config files under the application's root folder. If a configuration section is
locked in applicationHost.config or the site's web.config file, the corresponding feature will
appear read-only in application connections.
For information on how to connect to a server, site or application, see the online documentation
on Managing Connections in IIS 7.0.
Configuration
Even if you never change configuration locking and never use feature delegation, at some point
you're going to wonder how IIS Manager decides where to write configuration. There are two
rules that define this behavior:
• ApplicationHost.config vs. root Web.config: if the feature is listed under the ASP.NET area in
IIS Manager, server level configuration will be written to the root web.config file for .NET
Framework v2.0. If the feature is listed under the IIS area in IIS Manager, server level
configuration will be written to applicationHost.config. The only exception to this rule is
Forms Authentication, which is in the Authentication feature under the IIS area.
• Locked vs. Unlocked Configuration: All ASP.NET configuration sections, and a few IIS
configuration sections, are unlocked by default. For unlocked sections, IIS Manager will
write to the site's web.config if the configuration is changed for the site, or an application's
configuration if the configuration is changed for an application. Most IIS configuration
sections are locked by default. For locked sections, IIS Manager will always write to
applicationHost.config even when modifying configuration for sites and applications.
Status Bar
The status bar shows where IIS Manager will write configuration:
The <config_file_object_path> is the path to the configuration file object, for example:
.NET Compilation is .NET Framework configuration, and it appears under ASP.NET if you
group/filter the home page feature list by Area. If you've navigated to the server-level .NET
Compilation page and you set the default language to C#, IIS Manager will add the
defaultLanguage attribute to the compilation section in the root web.config file, i.e. %windir
%\Windows\\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config:
<compilation defaultLanguage="C#">
The status bar for both these situations will read: Configuration: 'localhost' applicationHost.config
or root web.config
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
</defaultDocument>
</system.webServer>
</configuration>
The status bar will read: Configuration: 'Default Web Site' web.config
The IIS "httpErrors" configuration section is unlocked by default. If you customize the HTTP 404
response for the Default Web Site, IIS Manager will write this configuration to %windir
%\Windows\system32\inetsrv\applicationHost.config:
<system.webServer>
<httpErrors>
</system.webServer>
</location>
The status bar will read: 'localhost' applicationHost.config or root web.config, <location
path="Default Web Site">
IIS Manager remoting for IIS 6.0, and previous versions of IIS, was through MMC and was always
enabled. With IIS 7.0, IIS Manager remoting must be explicitly enabled. All remote management
is done over HTTPS and is handled by an IIS component called the Web Management Service
(WMSVC). If you want enable remote management of IIS 7.0 through IIS Manager, read How to
Enable IIS Manager Remoting.
Login Requests
IIS Manager sends a login request across the wire to WMSVC to intiate a connection.
Authentication is either NTLM or basic, depending on what the user selected when they were
asked to provide credentials in the connection dialog.
Figure 9: Specifying Credentials
Ping Requests
Ping requests are made from within the WMSVC service to the web server (HWC) it hosts. Ping
requests are a simple mechanism to ensure the hostable web core continues to be responsive.
Service Configuration
WMSVC has very small set of editable configuration stored in the registry. Each time the service
is started, the web configuration files are regenerated in %windir
%\ServiceProfiles\LocalService\AppData\Local\Temp\WMSvc<GUID>\. The web configuration files
cannot be edited, even by administrators.
Figure 10: Changing Configuration in Registry
Security
IIS Manager and Web Management Service (WMSVC) remoting has been through a series of
reviews to ensure the functionality is simple and secure. These are a few of the security
measures taken:
• Requires SSL (HTTPS) for all connections to secure data passed between the remote IIS
Manager client and WMSVC
• Runs as Local Service with a reduced permission set
Locked down Hostable Web Core (HWC) configuration, including a minimal set of required
modules and carefully crafted request filtWhat is IIS WEB GARDENS?ering rules.
Note
Web gardens are different from Web farms. A Web garden is configured on a single server by
specifying multiple worker processes for an application pool. Web farms use multiple servers for
a Web site.
Creating a Web garden for an application pool can also enhance performance in the following
situations:
• Robust processing of requests: When a worker process in an application pool is tied up (for
example, when a script engine stops responding), other worker processes can accept and
process requests for the application pool.
• Reduced contention for resources: When a Web garden reaches a steady state, each new
TCP/IP connection is assigned, according to a round-robin scheme, to a worker process in the
Web garden. This helps smooth out workloads and reduce contention for resources that are
bound to a worker process.
Procedures
Important You must be a member of the Administrators group on the local computer to
perform the following procedure or procedures. As a security best practice, log on to your
computer by using an account that is not in the Administrators group, and then use the runas
command to run IIS Manager as an administrator. At a command prompt, type runas
/user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
To configure a Web garden by using IIS Manager
1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool,
and then click Properties.
2. Click the Performance tab, and under Web garden, in the Maximum number of worker processes
box, type the number of worker processes that you want to assign to the application pool. (You must
type a number greater than 1 for the application pool to become a Web garden.
3. Click OK.
Optionally, you can configure a Web garden by setting the metabase property MaxProcesses.
The MaxProcesses property determines the maximum number of worker processes that an
application pool allows to service its requests. A value of zero indicates an unmanaged
application pool that is not served by a worker process.
The default value for the MaxProcesses property is 1, which is the default number of worker
processes that service an application pool. To configure an application pool so that it is a Web
garden, set the MaxProcesses property to a value greater than 1.
Important You must be a member of the Administrators group on the local computer to run
scripts and executables. As a security best practice, log on to your computer by using an account
that is not in the Administrators group, and then use the runas command to run your script or
executable as an administrator. At a command prompt, type runas /profile
/user:MyComputer\Administrator cmd to open a command window with administrator rights
and then type cscript.exeScriptName (include the script's full path and any known parameters).
To configure a Web garden by using Adsutil.vbs
1. In the Run dialog box, type cmd, and then click OK.
Replace n with the number of worker processes that you want to service the application pool.
For more information about configuring Web gardens, see MaxProcesses Metabase Property.
Bottom of Form