The Tasty Morsels Found In Dogfood… MSCOM OPS Top 10 Changes In IIS7.0

Dogfood….yummmm! Yes it is true, has been running Beta 3 of Windows Server 2008 in production since June 12, 2007. What does that mean? 78 of 80 servers that host the website are running W2K8 Beta 3 and IIS7.0. Why only 78? We keep a couple of servers running our previous build of W2k3 and IIS6.0 as a reference. The move from W2K3 to W2K8 while very slick, is a topic for another blog. This is about the top 10 changes that we encountered in IIS7.0

1. Simple, Configurable Command Line Setup

· Install only the IIS components needed to run your site

start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-ASP;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-Security;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI

2. Great Compatibility Story

· Most (99%+) ASP and ASP.NET applications just worked.

ü One application encountered breaking change

ü Handful of applications required config migration to run in Integrated
(We have about 260 applications running on as defined by IIS, there are thousands of pages of code that could have broken but didn’t.)

· Integrated Pipeline is the new unified request processing pipeline. Benefits include:

ü Allowing services provided by both native and managed modules to apply to all requests, regardless of handler. For example, managed Forms Authentication can be used for all content, including ASP pages, CGIs, and static files.

ü Empowering ASP.NET components to provide functionality that was previously unavailable to them due to their placement in the server pipeline. For example, a managed module providing request rewriting functionality can rewrite the request prior to any server processing, including authentication, takes place.

ü A single place to implement, configure, monitor and support server features. For example, single module and handler mapping configuration, single custom errors configuration, single url authorization configuration.

· Classic ASP mode allows for easy app migration

ü ASP.NET Setup provides a “Classic .NET AppPool”

ü For more information on check out the article ASP.Net Integration With IIS7

· Use AppCmd to migrate apps to Integrated mode

ü %windir%\system32\inetsrv\APPCMD.EXE migrate config <Application Path>

ü For more information about AppCmd.exe see Getting Started With AppCmd.exe

· IIS 6.0 Metabase compatibility layer

ü Allows you the run old ADSI scripts

ü IIS6.0 Metabase Compatibility module must be installed

3. No More Metabase!

· Clean clear-text schema

· IIS settings stored in XML configuration file (applicationHost.config)

ü Metabase exists for SMTP/NNTP/FTP only

· Site-wide changes made easily

ü Update central applicationHost.config and copy to all web servers

ü Replaces our bulky ADSI based script solution for metabase changes

· considerations

ü Careful copying to production servers under load:
(Know Thy Environment! When you push out a new applicationHost.config those affected worker process need to reload the new configuration. It comes down to the scope of the change. For example, if you are making a global change that that affectes all the worker processes, and you are heavily dependent on caching then you could cause some grief in your environment as those new configurations are reloaded by the worker processes.)

4. Centralized Configuration

· applicationHost.config stored on UNC share

· Allows us to copy to two (maybe four) servers rather than 80

ü Potential gotcha - managing password changes for account used to connect to config store
(This is because that currently you cannot use the UNC share that is running under the Network service, which we use heavily. It currently requires a domain account, which our security policy mandates a periodic password change.)

5. Delegated Configuration

· Admin can now delegate IIS settings to application owner

· Settings defined in web.config file in application directory

· Example of setting to delegate include:

ü System.webServer section of applicationHost.config

ü Caching, defaultDocument, httpErrors, security

6. AppCmd and Other New Management Options

· Managing via the UI

ü New modular, task-based look and feel

ü Moving away from the right-click/properties paradigm

· Managing via the Command Line

ü AppCmd

§ Command line utility which replaces adsutil.vbs, iisapp.vbs, and others

§ Allows command line management of sites, applications, vdirs, apppools, modules, tracing, and more

ü Powershell

§ IIS community creating IIS-specific Powershell cmdlets

· MSCOM Considerations

ü AppCmd limitations – no remote

ü No IIS provider for Powershell

7. Failed Request Tracing

· Buffers the trace events for requests and flushes them to disk if they meet your failure criteria

· Captures trace data while you’re sleeping

· Very little perf impact when targeting failing requests

· Quick test: Enabling tracing for all file extensions and errors results in approx 5% fewer requests/sec at full stress load (please don’t do this in production)

· View Currently Executing Requests via AppCmd

ü appcmd list requests (for all request)

ü appcmd list requests /

REQUEST "3e00000080012675" (url:GET /casestudies/casestudy.aspx?casestudyid=201269, time:2954 msec, client:

· New Task Scheduler

ü Trigger tasks on events

8. Request Filtering

· No more URLScan

· </requestFiltering> settings in applicationHost.config

· Gotcha for If filename includes “+” then allowDoubleEscaping must be set to “true

ü <requestFiltering allowDoubleEscaping="true">

· Allow or disallow specific file extensions and verbs

ü <add fileExtension=".exe" allowed="false" />

· DenyURLSequences

ü <add sequence="./" />

ü <add sequence="/." />

· RequestLimits

ü maxAllowedContentLength="1000000“

ü maxUrl="260“

ü maxQueryString="2048"

9. UNC Content

· Simplified content synchronization

· Reduced H/W footprint (potentially less cost)

ü Common industry pain point

10. Output Caching of Dynamic Content

· Fewer off-box calls to backend dependencies

· Significant performance gains

· Simple WCAT (Web Capacity Analysis Tool) Stress Test against
Not appropriate for all applications (e.g. not effective for those with very personalized output)

Well that is our Top 10. We are making new discoveries every week and are looking forward to the next builds that we can update to. We are filing bugs when we find them and will continue to push information to the product teams and we will try and keep this blog updated as new, juicy morsels are discovered in the Dogfood.