In IIS6, if you wanted to back up and restore IIS, you used the GUI to back up and restore the mysterious “metabase”.

In IIS7, you will need to use a command prompt (with elevated permissions).

Go to c:\windows\system32\inetsrv, and run the following:

appcmd add backup “YourBackupNameHere” and press enter.

This creates a folder under c:\windows\system32\inetsrv\backup called “YourBackupNameHere” or whatever you typed in there.

In this folder there are several files that you can mess with if you choose. In particular, the file called “applicationHost.config” contains most of the settings you’ll probably be looking for.

This can be useful for backing up IIS, copying the folder, modifying the XML files in there, and then restoring the modified files. If the desired result is not achieved, you can restore the unmodified backup.

The restore command is:

appcmd restore backup “YourBackupNameHere”.

Enjoy!

Tags: backup, IIS7, Restore

Problem: You wish to maintain anonymous access to a website, but configure it to run as a specific user.

Usage Scenario: You want to use a SQL connection string to access a database with a trusted connection.

For example, your connection string might look something like this:

connStr = “Provider=SQLOLEDB;Data Source=Server\MSSQLInstance;Initial Catalog=YourDatabase;Trusted_Connection=yes;”

This is an alternative to enabling SQL authentication and putting the username and password in your web code. That has its own risks. Microsoft has also been trying to get people to stop doing that for years. You must choose what security measures you wish to implement.

There are a couple of options available for you to do this. One method is to configure the website’s anonymous authentication attribute directly. The other is to create a new application pool, configure its identity to use the specified user for its identity, and then set up the website to use that application pool. Each one entails plugging a user account and password into IIS. “Pick your poison” is what my friend Eugene has to say about this.

The advantage of using an Application Pool would be if you wanted to set up multiple websites this way. It would be easier to maintain a central point of administration for the user account.

Option 1: Edit the website directly

1. Create a user account. (This should be a local account if possible. If you are doing this on a DC, then be sure to make a new security group that is not assigned explicit permissions to anything, set this group as the user’s primary group, and remove the user from the Domain Users group.)
2. Open IIS Admin.
3. Select the website.
4. Double-click the “Authentication” icon.
5. Select Anonymous Authentication.
6. Click the Edit link under Actions on the right-hand side.
7. Click the radio button for “Specific user” and the Set button.
8. Input the username/password you created earlier.
9. Click OK, and OK to close the dialog. You may need to restart the website for the changes to take effect.

Option 2: Use an Application Pool

1. Create a user account. (This should be a local account if possible. If you are doing this on a DC, then be sure to make a new security group that is not assigned explicit permissions to anything, set this group as the user’s primary group, and remove the user from the Domain Users group.)
2. Open IIS Admin.
3. Select Application Pools.
4. Click Add Application Pool in the Actions area on the right side.
5. Type a name for the Application Pool and click OK. 
6. Right-click your new Application Pool and choose Advanced Settings.
7. In the General area, select Managed Pipeline Mode, and select Classic from the list. (Leaving this set to “Integrated” will cause other integrated Application Pools to take on these changes.)
8. In the Process Model area, select the Identity attribute, and click the “…” button.
9. Click the radio button for “Custom account” and click the Set button.
10. Input the username/password you created earlier.
11. Click OK, and OK to close the dialog.
12. Click OK to close the Application Pool settings dialog.
13. You may need to recycle your Application Pool for the changes to take effect.
14. Select the website.
15. Double-click the “Authentication” icon.
16. Select Anonymous Authentication.
17. Click the Edit link under Actions on the right-hand side.
18. Click the radio button for “Application Pool Identity”.
19. Click OK to close the dialog. You may need to restart the website for the changes to take effect.

Tags: Application Pool Identity, IIS7, SQL Connectivity

Situation: You are writing or debugging some web code, and the error you are seeing in the browser is almost, but not quite, entirely useless. It may be pretty though.

Environment: IE6 or 7 on the workstation, Windows Server 2008 and IIS7 on the server.

The first place to look is the browser settings.

1. Click the Tools menu (might have to press ALT first to see it).
2. Click Internet Options.
3. Go to the Advanced tab.
4. Uncheck the box for “Show friendly HTTP error messages”.

The second place to look is in the Error Pages section of IIS:

1. Open IIS Admin.
2. Select a web site.
3. Open the Error Pages tombstone (doesn’t it look like a graveyard of icons?).
4. Click the extremely intuitive Edit Feature Settings link under Actions on the right side.
5. In the Error Responses area, choose your preference.

It is “more secure” to leave the default settings. One argues that you can do your testing with the web browser on the local server, so you only need local requests to return useful error messages. However, you might wonder during your testing whether IE Enhanced Security, UAC, DEP, and other wonderful security settings that you have left on your server are interfering with the operation of your web application. For this reason, you may want to flip this over to “Detailed errors”, at least while you are working on the problem.

Finally, there is one more place to look.
I am uncertain whether this affects only classic ASP code, or ASP.NET as well, but here it is:

1. Select a web site.
2. Double-click the ASP tombstone.
3. Click the “+” sign next to Debugging Properties.
4. Change the “Send Errors to Browser” parameter to “True”.

That should do the trick. See how much easier debugging is now?

Tags: Debugging, Friendly HTTP Errors, IIS7

Problem: You want to have separate URLs pointing to two different domain names, with SSL, and both pointing to the same Exchange server.

Environment: Exchange 2007 on Server 2008 with IIS7.

Usage Scenario: Your e-mail domain has two (or more) e-mail domains, and users in both domains want to use their own domain names to access OWA. For example, users with domain1.com e-mail addresses want to go to https://remote.domain1.com/owa, and users with domain2.com e-mail addresses want to go to https://remote.domain2.com/owa to access their e-mail.

In Exchange 2003/IIS6, you might have done some crazy metabase manipulations, such as exporting the entire website to a file, then reading it, and choosing to import the /exchange  subfolder only.

Well, it’s actually somewhat simpler than that with Exchange 2007/IIS7.
Here’s what to do:
1. Open Exchange Management Shell with elevated permissions.
2. Paste this command into the shell:

New-OWAVirtualDirectory -OwaVersion:Exchange2007 -ExternalUrl:https://remote.domain2.com -InternalUrl:https://remote.domain2.com -Name “owa” -WebSiteName “Domain2.com”
Change the parameters in this command to match your environment, of course.

This command makes some assumptions:
a. Your external and internal URLs to access the website are the same. You could use different ones at this point. It’s up to you.
b. Domain1.com already has OWA enabled. So, we’re adding the OWA virtual directory to Domain2.com.

If you’re experimenting with this, and you make a mistake, DO NOT delete the virtual directory from the website using IIS Admin. Instead, use this command in Exchange Management Shell:
Remove-OwaVirtualDirectory -Identity “owa (Domain2.com)”

This will not only remove the virtual directory, but also fix some behind-the-scenes stuff that would have bitten you if you had deleted the virtual directory (voice of experience here).

Here is a Technet article with the complete command reference for the New-OWAVirtualDirectory command, and some related ones.

Updated - Here is a related command to add the ActiveSync virtual directory as well:

New-ActiveSyncVirtualDirectory -WebSiteName “YourWebSite” -ExternalURL “http://YourAccessURL/Microsoft-Server-ActiveSync“

If this gets out of sync, you can use this command to remove it:

Remove-ActiveSyncVirtualDirectory “Microsoft-Server-ActiveSync (YourWebSiteName)“

Tags: Exchange, IIS7, Outlook Web Access, Virtual Directory