Backing up and Restoring IIS configuration

From NEOSYS Technical Support Wiki
Jump to navigationJump to search

Backing up and Restoring IIS configuration

An automated backup process already exists in Windows IIS in every installation but only to C: drive. This article discusses how to get it backed up properly off-server by NEOSYS backup processes for servers with lots of installations. Small installations hardly need backup of IIS since it takes little time to reconfigure a single website.

The main point of this article is to give an understanding of the backup process and perhaps most importantly how it can be used to restore on servers with large numbers of web sites like win3/win4.

All IIS configuration performed in IIS manager seems to be backed up/restored by the following procedures ... EXCEPT imported certificates and the binding/mapping of port numbers to certificates which is discussed later on in [[Backing up and Restoring IIS configuration#Backing up certificate bindings]].

This article does not include backup or restore of actual web site directories, files and permissions.

A simple backup of IIS configuration can be done any time and quickly at before doing some change you are uncertain of in IIS.

c:\windows\system32\inetsrv\appcmd add backup SOMEBACKUPNAME

A simple restore will put everything back as it was. It appears that sites unaffected by the restore are not restarted so this can be done while users are online to unaffected websites. In the worst case, users will have to login again but as this is a popup in the middle of existing NEOSYS screens, they should not lose any work they are doing or documents they are entering.

c:\windows\system32\inetsrv\appcmd restore backup SOMEBACKUPNAME

Essentially the whole of IIS configuration for all sites is stored in a single text file which can be edited, backed up and restored manually by simple file copy, or by using the APPCMD.EXE programs which has the advantage of automatically reloading IIS at the appropriate time.

applicationHost.config

Windows provides a command "appcmd.exe" to manage IIS configuration from the command line. All APPCMD commmands either need to be run in the following directory or to be prefixed with "%windir%\system32\inetsrv\" as follows:

c:
cd %windir%\system32\inetsrv
appcmd list backup

or all in one line

%windir%\system32\inetsrvz\appcmd list backup

Set IIS automatic backup location to d:

By default, Windows automatically backups the last 10 IIS configurations to c:\inetpub\history, looking for changes every 2 minutes.

Below steps are already done on win3/win4

We need to:

1. Change the location of the automatic backups since NEOSYS backup procedures dont backup C: drive. ESSENTIAL 2. Increase the number of backups. OPTIONAL

Configure the new backup location on d: and increase the number of historical backups kept from 10 to 100

mkdir d:\inetpub\history
c:
cd %windir%\system32\inetsrv
appcmd.exe set config -section:system.applicationHost/configHistory /path:"d:\inetpub\history" /commit:apphost
appcmd.exe set config -section:system.applicationHost/configHistory /maxHistories:"100" /commit:apphost

Check that automatic backups are in fact now going to D: by making some trivial change in IIS and waiting 2 minutes to see the backup appear in D:

Using other IIS configuration commands

Other APPCMD configuration commands are as follows. Here showing setting the default configuration.

appcmd set config -section:system.applicationHost/configHistory /enabled:"True" /commit:apphost
appcmd set config -section:system.applicationHost/configHistory /period:"00:02:00" /commit:apphost

Manually triggering backup of IIS

appcmd add backup SOMEBACKUPNAME

Manual backups are just copies of the IIS configuration file, the same as the automatic backups ... but they are stored in a different place

C:\Windows\System32\inetsrv\backups\SOMEBACKUPNAME

Restoring IIS backups

IIS backups can be listed, restored and deleted.

appcmd list backup
appcmd restore backup SOMEBACKUPNAME
appcmd delete backup SOMEBACKUPNAME

Each backup is stored in a separate directory and you can rename them by simply changing the directory name.

The list of available backups is a merged set from the default automatic location, the configured automatic location (changed from the default C: to D:), and default manual backup location

c:\inetpub\history (AUTOMATICALLY TRIGGERED ORIGINALY)
D:\inetpub\history\ (AUTOMATICALLY TRIGGERED AFTER RECONFIGURATION)
c:\windows\system32\inetsrv\backups (MANUALLY TRIGGERED)

There is no need to restart IIS after restoring using APPCMD RESTORE but you may need to press F5 to refresh in IIS manager to see results of restore if restore changes anything.

Manually editing IIS configuration

You can edit the configuration files in any backup and then restore that backup.

This is useful in order either to make custom changes that cannot be done in the UI, eg removing an https binding without affecting other sites that use the same certificate, or to make mass changes that can be done quicker by editing a text file than navigating a complex GUI, such as removing all http site bindings.

applicationHost.config

other IIS APPCMD config commands

appcmd list site
appcmd list site demo
appcmd list config

Backing up certificate bindings

There is not a lot too this really but it is better that it is automated.

To make a backup file called bindcerts.sh

Find the hash of the current standard *.hosts.neosys.com certificate. This will change only once a year or however often the https certificate is renewed, probably once a year. Check the expiry date on the certificate. Run the following command and pick the hash next to a port you know is currently bound to the certificate. probably most or all ports will be bound to the same certificate hash.

netsh http show sslcert|grep -B1 Hash

Make the backup file called bindcerts.sh. put CERTHASH=.. what you found in the previous step. NO SPACES OR QUOTES

CERTHASH=06249326271595871fd935a37bd1334bb761e519
netsh http show sslcert| \
grep -B1 "$CERTHASH"| \
grep port| \
awk -v CERTHASH="$CERTHASH" '{print "netsh http add sslcert ipport=" $3 " certhash= " CERTHASH " appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"}' \
| tee bindcerts.sh

Restoring certificate bindings

If you dont have the backup file then you can just import the certificate and redo the bindings without much effort anyway. This process is more to enable automated restores on warm backup servers.

This will only ADD bindings, it will not delete, nor overwrite any existing bindings so you might have to delete bindings first to allow changes.

Get the bindcerts.sh file from the restore stage

Make the file executable and execute it

chmod +x bindcerts.sh
./bindcerts.sh

If you get a message "parameter incorrect" then check that your hash is correct and everything else is exactly correct. Check characters one by one from the BACK of the sentence SLOWLY to ensure you are not suffering from inattention to detail!

The parameter is incorrect.

If you get a message "already exists" then perhaps you have already bound the port to the right certificate .. or a wrong/old certificate

SSL Certificate add failed, Error: 183
Cannot create a file when that file already exists.

... delete the binding and try again. Here is an example of deleting binding on port 43999

netsh http delete sslcert ipport=0.0.0.0:43999