Backing up and Restoring IIS configuration: Difference between revisions
(One intermediate revision by one other user not shown) | |||
Line 54: | Line 54: | ||
%windir%\system32\inetsrv\appcmd list backup | %windir%\system32\inetsrv\appcmd list backup | ||
=== Set IIS automatic backup location to | === Set IIS automatic backup location to D: === | ||
By default, Windows automatically backups the last 10 IIS configurations | By default, Windows automatically backups the last 10 IIS configurations | ||
Line 63: | Line 63: | ||
We need to: | We need to: | ||
#Change the location of the automatic backups since NEOSYS backup procedures do not backup C: drive. ESSENTIAL | |||
#Increase the number of backups. OPTIONAL | |||
Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100 | Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100, by entering the following commands in command prompt. | ||
mkdir d:\inetpub\history | mkdir d:\inetpub\history | ||
Line 74: | Line 74: | ||
appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost | appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost | ||
Check that automatic backups are in fact now going to D: by making some | Check that automatic backups are in fact now going to D: by making some trivial change in IIS and waiting 2 minutes to see the backup appear in D: | ||
trivial change in IIS and waiting 2 minutes to see the backup appear in D: | |||
=== Using other IIS configuration commands === | === Using other IIS configuration commands === | ||
Line 201: | Line 200: | ||
netsh http add sslcert ipport=0.0.0.0:4474 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} | netsh http add sslcert ipport=0.0.0.0:4474 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} | ||
netsh http add sslcert ipport=0.0.0.0:4475 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} | netsh http add sslcert ipport=0.0.0.0:4475 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} | ||
If you need to rebind the certificates then you need to delete them first something like the following: | |||
netsh http delete sslcert ipport=0.0.0.0:443 | |||
netsh http delete sslcert ipport=0.0.0.0:4432 | |||
netsh http delete sslcert ipport=0.0.0.0:4433 | |||
netsh http delete sslcert ipport=0.0.0.0:4436 | |||
netsh http delete sslcert ipport=0.0.0.0:4437 | |||
netsh http delete sslcert ipport=0.0.0.0:4439 | |||
netsh http delete sslcert ipport=0.0.0.0:4440 | |||
netsh http delete sslcert ipport=0.0.0.0:4441 | |||
netsh http delete sslcert ipport=0.0.0.0:4449 | |||
netsh http delete sslcert ipport=0.0.0.0:4451 | |||
netsh http delete sslcert ipport=0.0.0.0:4453 | |||
netsh http delete sslcert ipport=0.0.0.0:4454 | |||
netsh http delete sslcert ipport=0.0.0.0:4460 | |||
netsh http delete sslcert ipport=0.0.0.0:4461 | |||
netsh http delete sslcert ipport=0.0.0.0:4462 | |||
netsh http delete sslcert ipport=0.0.0.0:4463 | |||
netsh http delete sslcert ipport=0.0.0.0:4465 | |||
netsh http delete sslcert ipport=0.0.0.0:4466 | |||
netsh http delete sslcert ipport=0.0.0.0:4469 | |||
netsh http delete sslcert ipport=0.0.0.0:4470 | |||
netsh http delete sslcert ipport=0.0.0.0:4471 | |||
netsh http delete sslcert ipport=0.0.0.0:4472 | |||
netsh http delete sslcert ipport=0.0.0.0:4473 | |||
netsh http delete sslcert ipport=0.0.0.0:4474 | |||
netsh http delete sslcert ipport=0.0.0.0:4475 | |||
=== Restoring certificate bindings === | === Restoring certificate bindings === |
Latest revision as of 11:28, 4 June 2018
Backing up and Restoring IIS configuration
An automated backup process already exists in Windows IIS in every installation but only to C: drive. This article discusses how to get it backed up properly off-server by NEOSYS backup processes for servers with lots of installations. Small installations hardly need backup of IIS since it takes little time to reconfigure a single website.
The main point of this article is to give an understanding of the backup process and perhaps most importantly how it can be used to restore on servers with large numbers of web sites like win3/win4.
All IIS configuration performed in IIS manager seems to be backed up/restored by the following procedures ... EXCEPT imported certificates and the binding/mapping of port numbers to certificates which is discussed later on in [[Backing up and Restoring IIS configuration#Backing up certificate bindings]].
This article does not include backup or restore of actual web site directories, files and permissions.
A simple backup of IIS configuration can be done any time and quickly at before doing some change you are uncertain of in IIS.
c:\windows\system32\inetsrv\appcmd add backup SOMEBACKUPNAME
A simple restore will put everything back as it was. It appears that sites unaffected by the restore are not restarted so this can be done while users are online to unaffected websites. In the worst case, users will have to login again but as this is a popup in the middle of existing NEOSYS screens, they should not lose any work they are doing or documents they are entering.
c:\windows\system32\inetsrv\appcmd restore backup SOMEBACKUPNAME
Essentially the whole of IIS configuration for all sites is stored in a single text file which can be edited, backed up and restored manually by simple file copy, or by using the APPCMD.EXE programs which has the advantage of automatically reloading IIS at the appropriate time.
applicationHost.config
Windows provides a command "appcmd.exe" to manage IIS configuration from the command line. All APPCMD commmands either need to be run in the following directory or to be prefixed with "%windir%\system32\inetsrv\" as follows:
c: cd %windir%\system32\inetsrv appcmd list backup
or all in one line
%windir%\system32\inetsrv\appcmd list backup
Set IIS automatic backup location to D:
By default, Windows automatically backups the last 10 IIS configurations to c:\inetpub\history, looking for changes every 2 minutes.
Below steps are already done on win3/win4
We need to:
- Change the location of the automatic backups since NEOSYS backup procedures do not backup C: drive. ESSENTIAL
- Increase the number of backups. OPTIONAL
Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100, by entering the following commands in command prompt.
mkdir d:\inetpub\history c: cd %windir%\system32\inetsrv appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost
Check that automatic backups are in fact now going to D: by making some trivial change in IIS and waiting 2 minutes to see the backup appear in D:
Using other IIS configuration commands
Other APPCMD configuration commands are as follows. Here showing setting the default configuration.
appcmd set config -section:system.applicationHost/configHistory /enabled:"True" /commit:apphost appcmd set config -section:system.applicationHost/configHistory /period:"00:02:00" /commit:apphost
Manually triggering backup of IIS
appcmd add backup SOMEBACKUPNAME
Manual backups are just copies of the IIS configuration file, the same as the automatic backups ... but they are stored in a different place
C:\Windows\System32\inetsrv\backups\SOMEBACKUPNAME
Restoring IIS backups
Copy the last backup directory (eg CFGHISTORY_0000000913) from d:\inetpub\history to c:\inetpub\history eg using cut and paste
Get to the directory where the APPCMD program is stored
c: cd %windir%\system32\inetsrv
List available backups and check your backup is available
appcmd list backup
Perform the restore
appcmd restore backup CFGHISTORY_0000000913
Note that restoring will also set the backup directory to whereever it was in the backup (ie d:\inetpub\history)
Each backup is stored in a separate directory and you can rename them by simply changing the directory name.
The list of available backups is a merged set from the default automatic location, the configured automatic location (changed from the default C: to D:), and default manual backup location
c:\inetpub\history (AUTOMATICALLY TRIGGERED ORIGINALY) D:\inetpub\history\ (AUTOMATICALLY TRIGGERED AFTER RECONFIGURATION) c:\windows\system32\inetsrv\backups (MANUALLY TRIGGERED)
There is no need to restart IIS after restoring using APPCMD RESTORE but you may need to press F5 to refresh in IIS manager to see results of restore if restore changes anything.
Manually editing IIS configuration
You can edit the configuration files in any backup and then restore that backup.
This is useful in order either to make custom changes that cannot be done in the UI, eg removing an https binding without affecting other sites that use the same certificate, or to make mass changes that can be done quicker by editing a text file than navigating a complex GUI, such as removing all http site bindings.
applicationHost.config
other IIS APPCMD config commands
c: cd %windir%\system32\inetsrv appcmd list site appcmd list site demo appcmd list config
Backing up certificate bindings
There is not a lot too this really but it is better that it is automated.
To make a backup file called bindcerts.sh
Find the hash of the current standard *.hosts.neosys.com certificate. This will change only once a year or however often the https certificate is renewed, probably once a year. Check the expiry date on the certificate. Run the following command and pick the hash next to a port you know is currently bound to the certificate. probably most or all ports will be bound to the same certificate hash.
netsh http show sslcert|grep -B1 Hash
Make the backup file called bindcerts.sh. put CERTHASH=.. what you found in the previous step. NO SPACES OR QUOTES
CERTHASH=06249326271595871fd935a37bd1334bb761e519
netsh http show sslcert| \ grep -B1 "$CERTHASH"| \ grep port| \ awk -v CERTHASH="$CERTHASH" '{print "netsh http add sslcert ipport=" $3 " certhash= " CERTHASH " appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"}' \ | tee bindcerts.sh
The bindcerts.sh created by the above and that we will use to restore certificate binding will contain something like the following:
netsh http add sslcert ipport=0.0.0.0:443 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4432 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4433 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4436 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4437 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4439 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4440 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4441 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4449 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4451 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4453 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4454 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4460 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4461 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4462 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4463 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4465 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4466 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4469 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4470 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4471 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4472 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4473 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4474 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} netsh http add sslcert ipport=0.0.0.0:4475 certhash= 06249326271595871fd935a37bd1334bb761e519 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
If you need to rebind the certificates then you need to delete them first something like the following:
netsh http delete sslcert ipport=0.0.0.0:443 netsh http delete sslcert ipport=0.0.0.0:4432 netsh http delete sslcert ipport=0.0.0.0:4433 netsh http delete sslcert ipport=0.0.0.0:4436 netsh http delete sslcert ipport=0.0.0.0:4437 netsh http delete sslcert ipport=0.0.0.0:4439 netsh http delete sslcert ipport=0.0.0.0:4440 netsh http delete sslcert ipport=0.0.0.0:4441 netsh http delete sslcert ipport=0.0.0.0:4449 netsh http delete sslcert ipport=0.0.0.0:4451 netsh http delete sslcert ipport=0.0.0.0:4453 netsh http delete sslcert ipport=0.0.0.0:4454 netsh http delete sslcert ipport=0.0.0.0:4460 netsh http delete sslcert ipport=0.0.0.0:4461 netsh http delete sslcert ipport=0.0.0.0:4462 netsh http delete sslcert ipport=0.0.0.0:4463 netsh http delete sslcert ipport=0.0.0.0:4465 netsh http delete sslcert ipport=0.0.0.0:4466 netsh http delete sslcert ipport=0.0.0.0:4469 netsh http delete sslcert ipport=0.0.0.0:4470 netsh http delete sslcert ipport=0.0.0.0:4471 netsh http delete sslcert ipport=0.0.0.0:4472 netsh http delete sslcert ipport=0.0.0.0:4473 netsh http delete sslcert ipport=0.0.0.0:4474 netsh http delete sslcert ipport=0.0.0.0:4475
Restoring certificate bindings
Import the certificate(s) first.
- IIS
- Server item
- Server Certificates
- Import
- Certificate File D:\hosts\CERTIFICATES\hosts.neosys.com.pfx
- Password 1fd...
- Allow to be exported. NO
Bind the certificate to the https ports
If you dont have the binding backup file (bindcerts.sh) then you can just redo the bindings one by one on each website without much effort anyway. This process is more to enable automated restores on warm backup servers.
This will only ADD bindings, it will not delete, nor overwrite any existing bindings so you might have to delete bindings first to allow changes.
Get the bindcerts.sh file from the restore stage
Make the file executable and execute it
chmod +x bindcerts.sh ./bindcerts.sh
or just cut and paste the contents of the file into a windows command console
"SSL Certificate add failed, Error: 1312"
A specified logon session does not exist. It may already have been terminated.
You didnt import the certificate first OR the HASH in export wasnt correct (doesnt match the imported certificate)
If you get a message "parameter incorrect" then check that your hash is correct and everything else is exactly correct. Check characters one by one from the BACK of the sentence SLOWLY to ensure you are not suffering from inattention to detail!
The parameter is incorrect.
"SSL Certificate add failed, Error: 183"
SSL Certificate add failed, Error: 183 Cannot create a file when that file already exists.
perhaps you have already bound the port to the right certificate .. or a wrong/old certificate
... delete the binding and try again. Here is an example of deleting binding on port 43999
netsh http delete sslcert ipport=0.0.0.0:43999