Backing up and Restoring IIS configuration: Difference between revisions
Line 63: | Line 63: | ||
We need to: | We need to: | ||
1. Change the location of the automatic backups since NEOSYS backup | 1. Change the location of the automatic backups since NEOSYS backup procedures dont backup C: drive. ESSENTIAL | ||
procedures dont backup C: drive. ESSENTIAL | |||
2. Increase the number of backups. OPTIONAL | 2. Increase the number of backups. OPTIONAL | ||
Configure the new backup location on d: and increase the number of | Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100 | ||
historical backups kept from 10 to 100 | |||
mkdir d:\inetpub\history | mkdir d:\inetpub\history | ||
c: | |||
cd %windir%\system32\inetsrv | |||
appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost | appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost | ||
appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost | appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost |
Revision as of 15:11, 22 April 2016
Backing up and Restoring IIS configuration
An automated backup process already exists in Windows IIS in every installation but only to C: drive. This article discusses how to get it backed up properly off-server by NEOSYS backup processes for servers with lots of installations. Small installations hardly need backup of IIS since it takes little time to reconfigure a single website.
The main point of this article is to give an understanding of the backup process and perhaps most importantly how it can be used to restore on servers with large numbers of web sites like win3/win4.
All IIS configuration performed in IIS manager seems to be backed up/restored by the following procedures ... EXCEPT imported certificates and the binding/mapping of port numbers to certificates which is discussed later on in [[Backing up and Restoring IIS configuration#Backing up certificate bindings]].
This article does not include backup or restore of actual web site directories, files and permissions.
A simple backup of IIS configuration can be done any time and quickly at before doing some change you are uncertain of in IIS.
c:\windows\system32\inetsrv\appcmd add backup SOMEBACKUPNAME
A simple restore will put everything back as it was. It appears that sites unaffected by the restore are not restarted so this can be done while users are online to unaffected websites. In the worst case, users will have to login again but as this is a popup in the middle of existing NEOSYS screens, they should not lose any work they are doing or documents they are entering.
c:\windows\system32\inetsrv\appcmd restore backup SOMEBACKUPNAME
Essentially the whole of IIS configuration for all sites is stored in a single text file which can be edited, backed up and restored manually by simple file copy, or by using the APPCMD.EXE programs which has the advantage of automatically reloading IIS at the appropriate time.
applicationHost.config
Windows provides a command "appcmd.exe" to manage IIS configuration from the command line. All APPCMD commmands either need to be run in the following directory or to be prefixed with "%windir%\system32\inetsrv\" as follows:
c: cd %windir%\system32\inetsrv appcmd list backup
or all in one line
%windir%\system32\inetsrvz\appcmd list backup
Set IIS automatic backup location to d:
By default, Windows automatically backups the last 10 IIS configurations to c:\inetpub\history, looking for changes every 2 minutes.
Below steps are already done on win3/win4
We need to:
1. Change the location of the automatic backups since NEOSYS backup procedures dont backup C: drive. ESSENTIAL 2. Increase the number of backups. OPTIONAL
Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100
mkdir d:\inetpub\history c: cd %windir%\system32\inetsrv appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost
Check that automatic backups are in fact now going to D: by making some trivial change in IIS and waiting 2 minutes to see the backup appear in D:
Using other IIS configuration commands
Other APPCMD configuration commands are as follows. Here showing setting the default configuration.
appcmd set config -section:system.applicationHost/configHistory /enabled:"True" /commit:apphost appcmd set config -section:system.applicationHost/configHistory /period:"00:02:00" /commit:apphost
Manually triggering backup of IIS
appcmd add backup SOMEBACKUPNAME
Manual backups are just copies of the IIS configuration file, the same as the automatic backups ... but they are stored in a different place
C:\Windows\System32\inetsrv\backups\SOMEBACKUPNAME
Restoring IIS backups
IIS backups can be listed, restored and deleted.
appcmd list backup appcmd restore backup SOMEBACKUPNAME appcmd delete backup SOMEBACKUPNAME
Each backup is stored in a separate directory and you can rename them by simply changing the directory name.
The list of available backups is a merged set from the default automatic location, the configured automatic location (changed from the default C: to D:), and default manual backup location
c:\inetpub\history (AUTOMATICALLY TRIGGERED ORIGINALY) D:\inetpub\history\ (AUTOMATICALLY TRIGGERED AFTER RECONFIGURATION) c:\windows\system32\inetsrv\backups (MANUALLY TRIGGERED)
There is no need to restart IIS after restoring using APPCMD RESTORE but you may need to press F5 to refresh in IIS manager to see results of restore if restore changes anything.
Manually editing IIS configuration
You can edit the configuration files in any backup and then restore that backup.
This is useful in order either to make custom changes that cannot be done in the UI, eg removing an https binding without affecting other sites that use the same certificate, or to make mass changes that can be done quicker by editing a text file than navigating a complex GUI, such as removing all http site bindings.
applicationHost.config
other IIS APPCMD config commands
appcmd list site appcmd list site demo appcmd list config
Backing up certificate bindings
There is not a lot too this really but it is better that it is automated.
To make a backup file called bindcerts.sh
Find the hash of the current standard *.hosts.neosys.com certificate. This will change only once a year or however often the https certificate is renewed, probably once a year. Check the expiry date on the certificate. Run the following command and pick the hash next to a port you know is currently bound to the certificate. probably most or all ports will be bound to the same certificate hash.
netsh http show sslcert|grep -B1 Hash
Make the backup file called bindcerts.sh. put CERTHASH=.. what you found in the previous step. NO SPACES OR QUOTES
CERTHASH=06249326271595871fd935a37bd1334bb761e519
netsh http show sslcert| \ grep -B1 "$CERTHASH"| \ grep port| \ awk -v CERTHASH="$CERTHASH" '{print "netsh http add sslcert ipport=" $3 " certhash= " CERTHASH " appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"}' \ | tee bindcerts.sh
Restoring certificate bindings
If you dont have the backup file then you can just import the certificate and redo the bindings without much effort anyway. This process is more to enable automated restores on warm backup servers.
This will only ADD bindings, it will not delete, nor overwrite any existing bindings so you might have to delete bindings first to allow changes.
Get the bindcerts.sh file from the restore stage
Make the file executable and execute it
chmod +x bindcerts.sh ./bindcerts.sh
If you get a message "parameter incorrect" then check that your hash is correct and everything else is exactly correct. Check characters one by one from the BACK of the sentence SLOWLY to ensure you are not suffering from inattention to detail!
The parameter is incorrect.
If you get a message "already exists" then perhaps you have already bound the port to the right certificate .. or a wrong/old certificate
SSL Certificate add failed, Error: 183 Cannot create a file when that file already exists.
... delete the binding and try again. Here is an example of deleting binding on port 43999
netsh http delete sslcert ipport=0.0.0.0:43999