Backing up and Restoring IIS configuration

From NEOSYS Technical Support Wiki
Jump to navigationJump to search

Backing up and Restoring IIS configuration

An automated backup process already exists in Windows IIS in every installation but only to C: drive. This article discusses how to get it backed up properly off-server by NEOSYS backup processes for servers with lots of installations. Small installations hardly need backup of IIS since it takes little time to reconfigure a single website.

The main point of this article is to give an understanding of the backup process and perhaps most importantly how it can be used to restore on servers with large numbers of web sites like win3/win4.

All IIS configuration performed in IIS manager seems to be backed up/restored by the following procedures ... EXCEPT imported certificates and the binding/mapping of port numbers to certificates which is discussed later on in [[Backing up and Restoring IIS configuration#Backing up certificate bindings]].

This article does not include backup or restore of actual web site directories, files and permissions.

A simple backup of IIS configuration can be done any time and quickly at before doing some change you are uncertain of in IIS.

c:\windows\system32\inetsrv\appcmd add backup SOMEBACKUPNAME

A simple restore will put everything back as it was. It appears that sites unaffected by the restore are not restarted so this can be done while users are online to unaffected websites. In the worst case, users will have to login again but as this is a popup in the middle of existing NEOSYS screens, they should not lose any work they are doing or documents they are entering.

c:\windows\system32\inetsrv\appcmd restore backup SOMEBACKUPNAME

Essentially the whole of IIS configuration for all sites is stored in a single text file which can be edited, backed up and restored manually by simple file copy, or by using the APPCMD.EXE programs which has the advantage of automatically reloading IIS at the appropriate time.

applicationHost.config

Windows provides a command "appcmd.exe" to manage IIS configuration from the command line. All APPCMD commmands either need to be run in the following directory or to be prefixed with "%windir%\system32\inetsrv\" as follows:

c:
cd %windir%\system32\inetsrv
appcmd list backup

or all in one line

%windir%\system32\inetsrv\appcmd list backup

Set IIS automatic backup location to D:

By default, Windows automatically backups the last 10 IIS configurations to c:\inetpub\history, looking for changes every 2 minutes.

Below steps are already done on win3/win4

We need to:

  1. Change the location of the automatic backups since NEOSYS backup procedures do not backup C: drive. ESSENTIAL
  2. Increase the number of backups. OPTIONAL

Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100, by entering the following commands in command prompt.

mkdir d:\inetpub\history
c:
cd %windir%\system32\inetsrv
appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost
appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost

Check that automatic backups are in fact now going to D: by making some trivial change in IIS and waiting 2 minutes to see the backup appear in D:

Using other IIS configuration commands

Other APPCMD configuration commands are as follows. Here showing setting the default configuration.

appcmd set config -section:system.applicationHost/configHistory /enabled:"True" /commit:apphost
appcmd set config -section:system.applicationHost/configHistory /period:"00:02:00" /commit:apphost

Manually triggering backup of IIS

appcmd add backup SOMEBACKUPNAME

Manual backups are just copies of the IIS configuration file, the same as the automatic backups ... but they are stored in a different place

C:\Windows\System32\inetsrv\backups\SOMEBACKUPNAME

Restoring IIS backups

Copy the last backup directory (eg CFGHISTORY_0000000913) from d:\inetpub\history to c:\inetpub\history eg using cut and paste

Get to the directory where the APPCMD program is stored

c:
cd %windir%\system32\inetsrv

List available backups and check your backup is available

appcmd list backup

Perform the restore

appcmd restore backup CFGHISTORY_0000000913

Note that restoring will also set the backup directory to whereever it was in the backup (ie d:\inetpub\history)

Each backup is stored in a separate directory and you can rename them by simply changing the directory name.

The list of available backups is a merged set from the default automatic location, the configured automatic location (changed from the default C: to D:), and default manual backup location

c:\inetpub\history (AUTOMATICALLY TRIGGERED ORIGINALY)
D:\inetpub\history\ (AUTOMATICALLY TRIGGERED AFTER RECONFIGURATION)
c:\windows\system32\inetsrv\backups (MANUALLY TRIGGERED)

There is no need to restart IIS after restoring using APPCMD RESTORE but you may need to press F5 to refresh in IIS manager to see results of restore if restore changes anything.

Manually editing IIS configuration

You can edit the configuration files in any backup and then restore that backup.

This is useful in order either to make custom changes that cannot be done in the UI, eg removing an https binding without affecting other sites that use the same certificate, or to make mass changes that can be done quicker by editing a text file than navigating a complex GUI, such as removing all http site bindings.

applicationHost.config

other IIS APPCMD config commands

c:
cd %windir%\system32\inetsrv
appcmd list site
appcmd list site demo
appcmd list config

Backing up certificate bindings

There is not a lot too this really but it is better that it is automated.

To make a backup file called bindcerts.sh

Find the hash of the current standard *.hosts.neosys.com certificate. This will change only once a year or however often the https certificate is renewed, probably once a year. Check the expiry date on the certificate. Run the following command and pick the hash next to a port you know is currently bound to the certificate. probably most or all ports will be bound to the same certificate hash.

netsh http show sslcert|grep -B1 Hash

Make the backup file called bindcerts.sh. put CERTHASH=.. what you found in the previous step. NO SPACES OR QUOTES

CERTHASH=06249326271595871fd935a37bd1334bb761e519
netsh http show sslcert| \
grep -B1 "$CERTHASH"| \
grep port| \
awk -v CERTHASH="$CERTHASH" '{print "netsh http add sslcert ipport=" $3 " certhash= " CERTHASH " appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"}' \
| tee bindcerts.sh

The bindcerts.sh created by the above and that we will use to restore certificate binding will contain something like the following:

netsh http add sslcert ipport=0.0.0.0:443 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4432 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4433 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4436 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4437 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4439 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4440 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4441 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4449 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4451 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4453 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4454 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4460 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4461 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4462 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4463 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4465 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4466 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4469 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4470 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4471 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4472 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4473 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4474 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
netsh http add sslcert ipport=0.0.0.0:4475 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

If you need to rebind the certificates then you need to delete them first something like the following:

netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete sslcert ipport=0.0.0.0:4432
netsh http delete sslcert ipport=0.0.0.0:4433
netsh http delete sslcert ipport=0.0.0.0:4436
netsh http delete sslcert ipport=0.0.0.0:4437
netsh http delete sslcert ipport=0.0.0.0:4439
netsh http delete sslcert ipport=0.0.0.0:4440
netsh http delete sslcert ipport=0.0.0.0:4441
netsh http delete sslcert ipport=0.0.0.0:4449
netsh http delete sslcert ipport=0.0.0.0:4451
netsh http delete sslcert ipport=0.0.0.0:4453
netsh http delete sslcert ipport=0.0.0.0:4454
netsh http delete sslcert ipport=0.0.0.0:4460
netsh http delete sslcert ipport=0.0.0.0:4461
netsh http delete sslcert ipport=0.0.0.0:4462
netsh http delete sslcert ipport=0.0.0.0:4463
netsh http delete sslcert ipport=0.0.0.0:4465
netsh http delete sslcert ipport=0.0.0.0:4466
netsh http delete sslcert ipport=0.0.0.0:4469
netsh http delete sslcert ipport=0.0.0.0:4470
netsh http delete sslcert ipport=0.0.0.0:4471
netsh http delete sslcert ipport=0.0.0.0:4472
netsh http delete sslcert ipport=0.0.0.0:4473
netsh http delete sslcert ipport=0.0.0.0:4474
netsh http delete sslcert ipport=0.0.0.0:4475

Restoring certificate bindings

Import the certificate(s) first.

  1. IIS
  2. Server item
  3. Server Certificates
  4. Import
  5. Certificate File D:\hosts\CERTIFICATES\hosts.neosys.com.pfx
  6. Password 1fd...
  7. Allow to be exported. NO

Bind the certificate to the https ports

If you dont have the binding backup file (bindcerts.sh) then you can just redo the bindings one by one on each website without much effort anyway. This process is more to enable automated restores on warm backup servers.

This will only ADD bindings, it will not delete, nor overwrite any existing bindings so you might have to delete bindings first to allow changes.

Get the bindcerts.sh file from the restore stage

Make the file executable and execute it

chmod +x bindcerts.sh
./bindcerts.sh

or just cut and paste the contents of the file into a windows command console

"SSL Certificate add failed, Error: 1312"

A specified logon session does not exist. 
It may already have been terminated.

You didnt import the certificate first OR the HASH in export wasnt correct (doesnt match the imported certificate)

If you get a message "parameter incorrect" then check that your hash is correct and everything else is exactly correct. Check characters one by one from the BACK of the sentence SLOWLY to ensure you are not suffering from inattention to detail!

The parameter is incorrect.

"SSL Certificate add failed, Error: 183"

SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.

perhaps you have already bound the port to the right certificate .. or a wrong/old certificate

... delete the binding and try again. Here is an example of deleting binding on port 43999

netsh http delete sslcert ipport=0.0.0.0:43999