IIS Shared Configuration Migration for IIS (from 7.5 to 8.5)

Tags: 4667 views 6

How to perform an upgrade from Windows Server 2008 to Windows Server 2012, which is used in shared hosting with Atomia. Shared configuration for IIS between versions 7.5 and 8.5 is not quite compatible, but we try to make it as painless as possible. Here we go!

How IIS clusters work with Atomia

Atomia uses shared configuration for IIS nodes, usually located at: \\storage\webshare\configuration\iis. For access to the shared config file domain\domain_user is used.

The web content is located at: \\storage\webshare\content. When a website is created all configurations are saved in \\storage\webshare\configuration\iis\applicationHost.config and administration.config. The website is available on all IIS nodes.

For communication with IIS clusters (e.g. when adding new websites, deleting, or modifying) Atomia uses a resource description file (http://learn.atomia.com/manuals/atomia-automation-server/configuration/resource-description/) on the provisioning server:

C:\Program Files (x86)\Atomia\AutomationServer\Common\Resources.xml

...
<resourceList>
    <resource name="IISServersCluster">
        <property name="IPAddress">10.133.9.68</property>
        <property name="ClusterIpAddress">81.236.59.231</property>
    </resource>
</resourceList>
...

Upgrading from Windows Server 2008 to Windows Server 2012

The safest way to do migration is by exporting the websites and application pools as xml documents and import these on the new node. Once you have completed the whole process (see steps below) you will need to export the configurations: applicationHost.config, administration.config, and configEncKey.key. Put these these files on a centralized storage, \\storage\webshare\configuration\iis, and import this config from the storage for every new node.

Important!

You will be asked for password during the export. Make sure to write this down in some password manager, as this is important later on for maintenance purposes.

  1. Install the new server (Windows 2012).
  2. Join it to your domain.
  3. Ensure that all IIS features are enabled:
    Dism /online /Enable-Feature /FeatureName:NetFx3 /all
    Dism /online /Enable-Feature /FeatureName:IIS-WebServerRole
    Dism /online /Enable-Feature /FeatureName:IIS-WebServer
    Dism /online /Enable-Feature /FeatureName:IIS-CommonHttpFeatures
    Dism /online /Enable-Feature /FeatureName:IIS-Security
    Dism /online /Enable-Feature /FeatureName:IIS-RequestFiltering
    Dism /online /Enable-Feature /FeatureName:IIS-StaticContent
    Dism /online /Enable-Feature /FeatureName:IIS-DefaultDocument
    Dism /online /Enable-Feature /FeatureName:IIS-ApplicationDevelopment
    Dism /online /Enable-Feature /FeatureName:IIS-NetFxExtensibility /all
    Dism /online /Enable-Feature /FeatureName:IIS-ISAPIExtensions
    Dism /online /Enable-Feature /FeatureName:IIS-ASP
    Dism /online /Enable-Feature /FeatureName:IIS-ISAPIFilter
    Dism /online /Enable-Feature /FeatureName:IIS-ASPNET /all
    Dism /online /Enable-Feature /FeatureName:IIS-CGI
    Dism /online /Enable-Feature /FeatureName:IIS-ServerSideIncludes
    Dism /online /Enable-Feature /FeatureName:IIS-CustomLogging
    Dism /online /Enable-Feature /FeatureName:IIS-BasicAuthentication
    Dism /online /Enable-Feature /FeatureName:IIS-WebServerManagementTools
    Dism /online /Enable-Feature /FeatureName:IIS-ManagementConsole
    
  4. Create a backup on a new node:
    %windir%\system32\inetsrv\appcmd add backup DefaultState

Useful tip

If you experience any inconsistency on IIS later you can revert the backup with this command:

%windir%\system32\inetsrv\appcmd restore backup DefaultState
  1. Export the application pools and the website from the old configuration:
    %windir%\system32\inetsrv\appcmd list apppool /config /xml > c:\apppools.xml
    %windir%\system32\inetsrv\appcmd list site /config /xml > c:\sites.xml
    
  2. The above step will export all the application pools and websites on your web server. Therefore, you need to edit apppools.xml and sites.xml and remove the applications that you do not need to import. For example:
    • AppPools:
      * DefaultAppPool
      * Classic .NET AppPool
      * SecurityTokenServiceApplicationPool
    • Websites:
      * Default Website
  3. Import the websites and application pools on the new node:
    %windir%\system32\inetsrv\appcmd add apppool /in < c:\apppools.xml
    %windir%\system32\inetsrv\appcmd add site /in < c:\sites.xml
    iisreset
    
  4. Unlock the modules and handlers by issuing the following:
    %windir%\system32\inetsrv\appcmd unlock config /section:system.webserver/modules
    %windir%\system32\inetsrv\appcmd unlock config /section:system.webserver/handlers
    
  5. Set up the registry and the firewall.
    1. Create the directory c:\install.
    2. Pull exe files from here.
    3. Put them inside c:\install.
    4. Execute the following:
      %windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log /centralLogFileMode:"CentralW3C" /centralW3CLogFile.period:"Hourly" /centralW3CLogFile.logExtFileFlags:"Date, Time, ClientIP, UserName, SiteName, Method, UriStem, UriQuery, HttpStatus, BytesSent, UserAgent, Referer, ProtocolVersion, Host" /commit:apphost
      set-webconfigurationproperty /system.webServer/security/authentication/anonymousAuthentication -name userName -value ""
      cmd /C c:\install\RegistryUnlocker.exe u "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9fa5c497-f46d-447f-8011-05d03d7d7ddc}"
      cmd /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9fa5c497-f46d-447f-8011-05d03d7d7ddc}" /v RunAs /d "$domain\$domain_admin" /t REG_SZ /f
      cmd /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9fa5c497-f46d-447f-8011-05d03d7d7ddc}" /v EndPoints /d "ncacn_ip_tcp,0,22000" /t REG_MULTI_SZ /f
      cmd /C c:\install\LsaStorePrivateData set "SCM:{9fa5c497-f46d-447f-8011-05d03d7d7ddc}" "$appadminUserPassword"
      cmd /C c:\install\RegistryUnlocker.exe l "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9fa5c497-f46d-447f-8011-05d03d7d7ddc}"keys
      netsh advfirewall firewall add rule name="RPC Mapper" dir=in action=allow profile=domain remoteip=localsubnet protocol=tcp localport=135 service=RpcSs
      netsh advfirewall firewall add rule name="AHADMIN Fixed Endpoint" dir=in action=allow profile=domain remoteip=localsubnet protocol=tcp localport=22000 program=%windir%\system32\dllhost.exe
      iisreset
      
    5. Note the following lines:
      • line #4: change $domain\$domain_admin
      • line #6: change $appadminUserPassword
  6. Update the resource description file on the provisioning server:
    C:\Program Files (x86)\Atomia\AutomationServer\Common\Resources.xml

    ...
    <resourceList>
        <resource name="IISServersCluster">
            <property name="IPAddress">10.133.9.68</property> (old IP - remove this property-line)
            <property name="IPAddress">10.133.9.69</property> (add this property-line)
            <property name="ClusterIpAddress">81.236.49.251</property>
        </resource>
    </resourceList>
    ...
    
  7. Stop the service Atomia Automation Provisioning Engine service:
    iisreset
  8. Start the service Atomia Automation Provisioning Engine service.
  9. Configure the Load Balancers with the new node.
  10. Test the functionality.

Was this helpful?