Migrating a Web Server to IIS 5.0: Basic Steps

Article
12/09/2009

By Megan Davis, Web Technology Writer,Internet Information Services Documentation Team,Microsoft Corporation

This article is the third in a series, Getting Ready for IIS 5.0 that discusses steps you can take to get ready for Internet Information Services (IIS) 5.0. In this article, I take a "nuts and bolts" approach to migrating an individual Web server. You'll find detailed information about migrating configuration settings and content to a server running IIS 5.0 from another type of Web server, such as Apache HTTP Server or Netscape Enterprise Server.

Once you've completed the planning and preparatory steps described Planning a Web Server Migration Project, you're ready to begin migrating your Web servers to IIS 5.0. This article describes the following steps:

Assessing hardware requirements and acquiring any new hardware needed for deployment.
Preparing the destination computer by creating partitions, installing Windows 2000 Server with IIS 5.0, and structuring directories.
Migrating Web and File Transfer Protocol (FTP) sites by replicating their content to the destination computer, correcting any problems with the files, and implementing special features.
Replicating Web application files to the destination server. Additional steps that might be required to migrate applications to IIS 5.0, as discussed in my article, "Migrating Web Applications to IIS 5.0: Nuts and Bolts," which is published on MSDN.
Migrating log files.
Migrating Web server configuration settings.
Securing the new Web server by importing user and group information, setting permissions, installing security certificates, and configuring other security parameters.

Also in this article are details about migrating to IIS 5.0 from:

Apache HTTP Server

Netscape Enterprise Server

Note: You can use the IIS Migration Wizard, included on the Microsoft® Windows® 2000 Server Resource Kit companion CD, available from Microsoft Press early next year, to replicate Web site content and migrate Web server settings from Netscape Enterprise Server 3.5 or Apache HTTP Server 1.3. You can also use the wizard to upgrade a server running IIS 4.0, or to replicate a server running IIS 5.0.

Assessing Hardware Requirements

Your first step is to decide what type of hardware to use for the migration, and then obtain it and set it up. There are four different approaches to migration, and each one has a different implication for deployment hardware. This section describes the pros and cons of each approach and the hardware required. Later sections tell you how to perform the migration steps mentioned here.

Migrate to a clean installation of Windows 2000 Server and IIS 5.0. The ideal approach to migration is to perform a clean installation of Windows 2000 Server and IIS 5.0 on a computer other than the production Web server. Migrate settings, content, and applications from the production Web server to the new IIS 5.0 server. Test and debug the new server before deploying it and taking the old production Web server offline.

Hardware needed: A second computer is required, in addition to the existing production Web server.

Pros: You can put new, updated hardware in place at the same time you perform the migration. You also avoid taking your production Web server offline until the new server is tested and deployed. Following deployment you can use the original server as a backup, in case problems arise with the new server that didn't appear during testing.

Cons: You'll need to purchase the second computer, if you don't have a spare to use. However, the cost will be at least partly offset by the time saved conducting the migration and fixing problems.

Recommendation: This is the ideal approach because it is the least likely to result in unforeseen problems, such DLL conflicts. Because of the difficulty in conducting a cross-platform migration on a single computer, this is the only approach I recommend for migrating a UNIX-based Web server to IIS 5.0.
Migrate a duplicate of a Windows NT–based Web server. Some people prefer this approach when they have a spare Web server already running Microsoft Windows NT: On the second computer (the "spare"), install the same software as exists on the production Web server, and then use the Windows 2000 Server Setup Wizard in order to upgrade to Windows 2000 Server and IIS 5.0. Migrate configuration settings, content, and applications to the new Web server. Test and debug the new server before deploying it and taking the old production Web server offline.

Hardware needed: A second computer is required, in addition to the existing production Web server.

Pros: You can opt to put new, updated hardware in place at the same time you perform the migration. You also avoid taking your production Web server offline until the new server is tested and deployed. Following deployment you can use the original server as a backup, in case problems arise with the new server that didn't appear during testing.

Cons: You might need new hardware if you don't have a spare server. But if you're buying new hardware, you'd be better off to install Windows 2000 and IIS 5.0 on it, as in the first approach.

Recommendation: For migrating from another Windows NT-based Web server, this approach is perfectly fine, and all of the testing we've done so far has not revealed any problems with it. However, my preference is to reformat the hard drive and migrate to a clean installation of Windows 2000 and IIS 5.0.
Migrate a mirror of a Windows NT–based Web server. This is another approach many people use when migrating from a computer running Windows NT: Create a mirror image of the current production Web server (operating system, software, configuration settings, and content) on a second computer. Then use the Windows 2000 Server Setup Wizard to upgrade it to Windows 2000 Server and IIS 5.0. Migrate Web configuration settings, content, and applications to the new Web server. Test and debug the new server before deploying it and taking the old production Web server offline.

Hardware needed: For this approach to work, the new hardware must exactly duplicate the existing server.

Pros: You avoid taking your production Web server offline until the new server is deployed. Following deployment, if problems arise with the new server that didn't appear during testing, you can use the original server as a backup.

Cons: Because the hardware on the new system must exactly duplicate the original server, you can't upgrade your hardware at the same time you migrate or upgrade the Web server.

Recommendation: This method is more efficient than the last one because you don't have the extra step of separately migrating configuration and content. It's fine if you don't need to upgrade your hardware, and is far less risky than the next approach.
Migrate the production Web server. Here's an approach some people use for migrating non-mission-critical Web servers when they have a limited (or nonexistent) hardware budget: Take the production Web server offline. Back up everything! If it's already running Windows NT Server, use the Windows 2000 Server Setup Wizard to upgrade the server to Windows 2000 Server with IIS 5.0. For a new installation, install Windows 2000 Server on a primary disk partition. This might require reformatting and repartitioning the hard disk. Migrate Web configuration settings, content, and applications to IIS 'in place' on the production Web server. Test and debug the server before deploying it.

Hardware needed: No new hardware is required.

Pros: There is no hardware cost.

Cons: Migrating a production Web server is extremely risky. You must take the server offline, and it will not be available to users until you complete all migration tasks, testing, and debugging.

Recommendation: This method is not recommended, unless you can afford to have your Web server offline for an indeterminate length of time.

Preparing the Destination Server

Once you've acquired and set up the necessary hardware, you need to prepare the destination server for migration by installing Windows 2000 Server and IIS 5.0, configuring directories, and installing tools and utilities. Because it's my preference, these steps assume that you've decided to migrate to a clean installation of Windows 2000 and IIS 5.0.

Note: The destinationserver (sometimes called the target server) is running Windows 2000 Server with IIS 5.0, and the sourceserver is running the Web server software you plan to migrate. While source and destination servers could exist on the same physical computer, I do not recommend conducting a migration on a single computer. (The issues involved are described in the previous section, Assessing Hardware Requirements.) Therefore, in this discussion, source and destination servers are assumed to exist on separate computers.

Back up the source server. Before you begin, create a backup file of all source server configuration settings, as well as files, applications, utilities, and other software used by your Web and FTP sites. Keep this file on a computer that's not involved in the migration.
Identify items to migrate. Decide which items to migrate from the source server. Note any applications and scripts you need to modify in order for them to run on IIS 5.0. To migrate these items, you need to transfer them to a development computer for modification, then to a test server for testing, and finally to the production Web server for deployment.
Estimate disk space and partition requirements. Estimate the total disk space needed for data, files, applications, and server software on the destination computer. For each item, make a note of the disk partition on which it will reside (some considerations are discussed next). Make sure the destination computer has sufficient hard disk space for your requirements.
Install Windows 2000 Server and IIS 5.0. Install Windows 2000 Server and IIS 5.0 on the destination computer. When installing to a new computer, choose the clean install option. By default, Windows 2000 installs as a file server. If you are using this server primarily as a Web server, you should install it as an application server.

During setup you create disk partitions and specify the file format for the primary, or system, partition onto which Windows 2000 Server will be installed. Be sure to allocate sufficient space in each partition for the content or system files it will hold. The following are some other issues to consider when creating disk partitions and specifying file format:
- Security To implement the highest level of security, format the partition onto which you install Windows 2000 Server as NTFS file system (NTFS).
  
  For security reasons, it's also a good idea to install the Windows 2000 Server and IIS 5.0 system software on a separate partition from the Web and FTP site content and applications. The following configuration should be fine in most cases:
  
  Drive C: Allocate 1.5 to 2 GB of disk space for Windows 2000 Server and IIS 5.0 executables.
  
  Drive D: Allocate 1 to 2 GB of disk space for the IIS root and Web site directories.
  
  Drive E: Allocate sufficient disk space to contain remaining software and content for your server.
- Access from UNIX-based Computers Keep in mind that only Windows NT– or Windows 2000–based computers can natively access data and files stored on NTFS partitions. Therefore, when using NTFS in a mixed environment, you might need to take additional steps to make sure files are available to UNIX-based computers. There are a couple of ways to do this. You can use Microsoft® Network File Sharing (NFS) client and server components that run on Windows 2000 and that support cross-platform file sharing. These and other useful tools and utilities are available as part of Windows NT Services for UNIX
  
  Likewise the SAMBA shareware application suite allows UNIX clients to access Windows-based file systems. It also allows Windows-based clients to access files and printers on UNIX, NetWare, OS/2, or VMS servers that support the Server Message Block (SMB) protocol.
For more information about creating and configuring Windows 2000 operating system partitions and directories, see the Windows 2000 Server online product documentation.
Configure Windows 2000 Server. After installation, the next step is to configure Windows 2000 Server networking and security, and any additional services. For references on setup and administration, see the Windows 2000 Server online product documentation, as well as the "Additional Resources" section at the end of Planning a Web Server Migration Project.
Structure Web and FTP site directories. When you install IIS 5.0 for the first time, the Windows 2000 Server setup program creates a Web server directory structure in Windows Explorer at c:\Inetpub\wwwroot\. This is where actual Web site content and application files are stored. IIS 5.0 also creates a Default Web Site in the IIS snap-in of the Microsoft Management Console (MMC). It points to the content stored in the root directory and provides configuration settings (properties) for the Web site and its associated files. IIS 5.0 gives the Default Web Site the same name as the computer running IIS 5.0, unless the computer Internet Protocol (IP) address is registered with a different name on the Internet or your corporate network.

The following figure shows the Wwwroot directory in Windows Explorer and its associated Web site (in this case, the Default Web Site) in the IIS snap-in.

The Wwwroot Directory in Windows Explorer and the Default Web Site in the IIS Snap-in

You might be able to use the default directory structure as it is, or you might want to make some modifications to preserve paths (also called pathnames) within your content and application files. As much as possible, try to replicate the directory structure and names used on the source server. This minimizes broken links and the need to update URLs and pathnames within files following migration.

Note: The Default Web Site in the IIS snap-in points to the IIS 5.0 online product documentation, supporting code, and application samples (accessible from the IIS snap-in Help menu, or by typing https://localhost/ in the address bar of your browser). If you delete the Default Web Site, you will no longer be able to open these items. Also, be aware that the Default Web Site is assigned port 80 by default. When you create a new Web site in the IIS snap-in, it also will be assigned port 80 by default. In order to continue accessing the documentation, you must change the port number of any new Web site you create to something besides 80 so that it doesn't conflict with the Default Web Site. To avoid these problems, it is best to use the Default Web Site to manage your Web site, rather than creating a new one. For more information, see the "Adding Sites" topic in the IIS 5.0 online product documentation.

Storing Content outside the Web Server Root Directory

The Virtual Directory feature of the IIS 5.0 snap-in allows you to publish content to your Web and FTP sites that is stored outside of the Web server root directory tree (c:\Inetpub\wwwroot) in Windows Explorer. Content—HTML files, scripts, images, and other files—can be stored in any Microsoft Windows directory on the local computer or another computer on your network. The only restriction is that the network drive containing the directory must be in the same Windows 2000 Server Domain as the computer running IIS 5.0. For more information about virtual directories, see the "Creating Virtual Directories" topic in the IIS 5.0 online product documentation.
Install tools and utilities. Next, install tools and utilities on the destination server. These include all of the items you listed during the planning phase that must reside on the new server. If you're migrating from UNIX, you'll want to obtain and install the Windows 2000 Server counterparts of UNIX tools and utilities. Many of these are available on the Microsoft Windows 2000 Resource Kit companion CD. Others are available with Windows NT Services for UNIX.

You'll also want to obtain and install the appropriate script interpreters (also called scripting engines) to run applications written as scripts. IIS supports any scripting language for which you have installed a script interpreter that follows the Active Scripting standard. For ASP applications, IIS natively supports Microsoft Visual Basic® Scripting Edition (VBScript) and Microsoft JScript®, so you don't need to install their interpreters. Active Scripting interpreters for Perl 5.0 and Regina REXX are available through third-party developers. TCL/Tk, Python, and REXX script interpreters that are compatible with Microsoft Win32® are available from third-party sources. In most cases, you should install the script interpreter in the Web server root directory (c:\Inetpub\wwwroot) and set appropriate NTFS and IIS 5.0 permissions. For more information, see "Additional Resources" section at the end of Planning a Web Server Migration Project.

Migrating Web and FTP Sites

Next you migrate Web and FTP sites. This section describes the steps involved in doing this, including replicating content, creating virtual directories, correcting file formatting problems, repairing broken hyperlinks, and implementing special features, such as content expiration, footers, and server-side includes.

Replicating Windows-Based Files

You can copy files and directories between two Windows-based computers by using FTP, a serial connection, or the rcp utility that comes with the Windows 2000 operating system, or by creating a shared directory and copying the files across your local area network (LAN).

Keep in mind that a simple file copy and paste operation does not preserve some file data, such as security configuration, hyperlinks, and share information. The following paragraphs discuss some methods of preserving file data.

Preserving Permissions and Audit Settings

To copy files while retaining current Windows permissions and audit settings, you can use the XCopy utility that comes with Windows 2000 Server, by typing the following at the command prompt:

XCopy current>:\<dir> <new>:\<dir> /o /a /s

For more information about using this tool, see the Windows 2000 Server online product documentation.

Preserving Hyperlinks and Web Structure

Both Microsoft FrontPage® and Microsoft Visual InterDev® Web development systems can replicate Web sites from one Windows-based computer to another, while preserving site directory structure and hyperlinks. However, you will need to recreate virtual paths, as these tools don't import this information.

Preserving Share Information

Copying files and directories is simple enough; however, share information isn't maintained in Windows directories, but rather in the registry, under LanmanServer. To preserve share information, you must also replicate this registry information from the source server currently hosting the shared files and directories, to the destination computer, as follows:

Note: The action described next will destroy any existing shares on the destination computer. Be sure to back up the registry before you begin.

Using the following registry key, save the source computer registry settings for shares to a file. Use Regedt32.exe, and not Regedit.exe, to edit the registry.

HKEY_LOCAL_MACHINE

\System \CurrentControlSet \Services \LanmanServer \Shares

Copy the resulting settings file to the destination computer and then use the following registry key to restore the share settings to the destination server from this file. The settings will take effect after you restart the computer.

HKEY_LOCAL_MACHINE

\System \CurrentControlSet \Services \LanmanServer \Shares

Caution: Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. To configure or customize Windows 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

Replicating UNIX-Based Files

You can copy files and directories from a UNIX-based computer onto disks or tape media, or move them across a network connection by using FTP. To transfer an entire Web directory tree in one file, you can use tar.exe for concatenating files and directories, compress them with one of several available utilities, and then use recursive FTP to transfer them to Windows 2000 Server. SAMBA is also useful for transferring files between computers running UNIX and Windows operating systems.

You can also copy files across a network by using the Windows 2000 rcp client to access a UNIX computer that's running the rcp daemon called rshd (Remote Shell Daemon). With rcp you can specify security parameters, as well as recursively copy files and directories between source and destination computers. In this case, the name of the Windows 2000 Server computer must appear in the .rmhosts file on the UNIX computer. For more information, see the "rcp" topic in the Windows 2000 Server online product documentation.

Note: MS-DOS and Windows files use a carriage return and line feed character to mark the end of each line, while UNIX files use only a line feed character. The Windows 2000 rcp client automatically makes this conversion for you when run in ASCII transfer mode (the default).

Once the files are copied to Windows 2000 Server, you can separate any concatenated directories and files by using Tar.exe for Win32, or you can use WinZip to separate and uncompress them. WinZip provides built-in support for TAR, gzip, UNIX compress, UUencode, BinHex, and Multipurpose Internet Mail Extensions (MIME). Then you can move the files into the appropriate Web server directory, which is c:\Inetpub\wwwroot by default. For applications, it's particularly important to retain the original directory structure.

To obtain a public domain copy of Tar.exe for Win32, go to https://www.acs.oakland.edu/ and use the search term "nttar.zip."

Ws_ftp, a tool that performs recursive FTP, is available at https://www.shareware.com.

To download an evaluation version of WinZip, see https://www.winzip.com/.

Items to Note about Windows File Systems

Here are a few items you might want to note about Windows file systems if you've been accustomed to working in a UNIX environment.

On a Windows File Allocation Table (FAT) file system, Write access to a file is equivalent to full access. To protect data shared on a FAT file system, share it as a read-only resource. NTFS provides more security options for protecting data and is generally recommended over FAT. For more information about NTFS security, see the Windows 2000 Server online product documentation.
Because Windows FAT file systems were designed around single-user computers, they don't support the concept of a file owner or file group. However, the NTFS file system allows you to specify a file owner, which can be either an individual or a group.
Windows file systems do not support file links (symbolic links), but rather use a single-name/single-file concept with no support for multiple directory entries referring to the same file.

Converting UNIX File Names and Pathnames

When you migrate files and directories from a UNIX-based Web server, you need to edit file names and pathnames (called paths in Windows) so that they adhere to Windows conventions. You also need to edit any file names and pathnames within UNIX application files in order to run them on Windows 2000 Server. If you don't make these corrections, file and hyperlink references might malfunction, and in some cases files could be overwritten.

Conventions are slightly different between the Windows FAT and NTFS file systems. While for security reasons you will want to use NTFS as much as possible, there are cases where you might need to use FAT for cross-platform file sharing. The issues involved with both systems are described below.

File Name and Extension Length UNIX supports long file names and four-character file extensions. Depending on the method you use, when you copy a UNIX file or directory to a Windows file system, Windows might truncate a long file name or extension using the Microsoft® MS-DOS® 8.3 convention.
Case Sensitivity UNIX file names are case sensitive. Windows FAT file names are not case sensitive, and Windows NTFS file names are "case aware." In other words, NTFS preserves case, but doesn't use it in some functions, such as indexing. Also, in UNIX you can have two different files in the same directory with names distinguished only by case. For example, in any given directory you could have two different files, one named MyFile and the other named myfile. However, if you copy these files to a FAT directory, the Windows operating system preserves the letter cases of UNIX file names, but interprets the two names as being identical. It reads the first name correctly, but it reads the second as a duplicate name, and appends a number to it to make it unique. Using the previous example, this would result in the file name, MyFile(2).
Illegal Characters The following characters are supported in UNIX-style file names, but are not permitted in Windows file or directory names:

/ \ : * ? " < > |

The Windows operating system will replace each occurrence of one of these characters with the letter "X."
Directory Separators UNIX pathnames use the forward slash (/) as a directory separator, and Windows paths use the backslash (\). Windows produces an error when it encounters UNIX-style pathnames.
Directory Hierarchy The UNIX file system appears to be a single directory hierarchy whereas Windows storage is divided into one or more physical or virtual disk drives with a directory hierarchy on each. To access a file on Windows, you must know what disk drive the file is on and specify the drive letter (C:, D:, E:, and so forth ) as part of the pathname for the file.

Completing Web Site Migration

This section describes some additional steps you might need to take when migrating Web sites in order to restore hyperlinks, set up user Web sites, and replicate (or add) special features such as server-side includes, redirects, and directory indexes.

Repairing Hyperlinks

When you migrate Web pages, you need to find and repair any hyperlinks within them that were broken due to changes you might have made in the original Web site directory structure. You can use FrontPage features for testing and repairing hyperlinks, not only for internal URLs, but for those referring to external sites on the Internet as well.

Note: It is not recommended that you install the FrontPage client on the same computer as IIS 5.0. Instead, use FrontPage on a development computer to check and repair hyperlinks. Then publish the files to the computer running IIS 5.0, using the Web publishing features of FrontPage.

Setting up User Web Sites

IIS 5.0 provides the following options for implementing user Web sites, which are common in most Internet service provider (ISP) and volume hosting environments:

Host Headers Implementing the HTTP 1.1 host header standard, you can create multiple Web sites on a single IIS server that share the same IP address. For browsers that do not support the HTTP 1.1 standard, IIS displays the home page for the Default Web Site and can be configured to send a cookie that automatically redirects users to the selected site on their next visit. For this reason, it is recommended that ISPs use the Default Web Site for their Web site, rather than for a customer Web site. This Web site can then display links to customer Web sites.
IP Addressing You can create multiple Web sites by assigning each one a unique IP address.
Unique Port Numbers You can create multiple Web sites by assigning each one a unique port number. For sites using something other than port 80, which is the default, users must append the port number to the URL to access the site. For example, https://www.microsoft.com/IIS:82 would access a Web site named IIS that uses port 82.

For more information about implementing these methods, see the "Web and FTP Sites" and "Name Resolution" topics in the IIS 5.0 online product documentation.

Implementing Special Web Features

IIS 5.0 supports many popular Web site features, such as directory browsing and indexing, document footers, and server-side includes. The following paragraphs describe some features you might want to implement on your Web sites.

Directory Browsing and Indexing You can enable directory browsing and indexing on the Home Directory tab of Web Site Properties.
Document Footers You can specify a document footer on the Enable Document Footer tab of Web Site Properties. For more information about document footers, see the "Adding a Footer to Web Pages" topic in the IIS 5.0 online product documentation.
Dynamically Updated Content For content that must be frequently updated, you can generate dynamic Web pages by using ASP and HTML templates. IIS 5.0 builds pages on-the-fly from content that is dynamically extracted from a database.
Personalized Content By using Dynamic HTML (DHTML) or the Browser Capabilities Component you can detect user browser capabilities to provide personalized content based on the user environment. For more information, see the "Client Capabilities" topic in the IIS 5.0 section of the SDK documentation on MSDN.
Redirection (HTTP redirect) You can specify redirection from a Web site to another URL on the Home Directory tab of Web Site Properties.
Server-Side Includes IIS 5.0 supports server-side includes. A Web page that has included information must have the .stm file name extension. The virtual directory containing the .stm files must have either script or execute permissions enabled.
Time-Sensitive Content To direct the user's browser to expire cached content at a specific date and time, you can enable content expiration on the HTTP Headers tab of Web Site Properties.

Completing FTP Site Migration

Here are a few steps you can take to reproduce (or add) special FTP site features.

Creating User Directories To have a user automatically placed in their own FTP directory when logging on, create a virtual FTP directory with the same name as the user.
Creating Welcome Messages On the Messages tab of FTP Site Properties, you can create a welcome message that will be displayed to users when they enter the FTP site.

Replicating and Configuring Applications

Application files are a special case. Rather than copying them directly to the new IIS 5.0 server, application files should be transferred to a development computer for any necessary editing or rewriting, and then to a test computer for testing and debugging. When you're ready to deploy the application on the new IIS 5.0 server, follow the instructions given in the "Configuring Applications" topic of the IIS 5.0 online product documentation.

My TechNet article, Migrating CGI Applications to IIS: Choosing an Approach describes your options for migrating a CGI application to IIS 5.0. You can leave it as a CGI and make relatively minor changes so it runs on IIS 5.0. Or you can rewrite it as an ISAPI extension or an ASP application. The pros and cons of each approach are discussed in terms of development costs and server resources.

Migrating Log Files

IIS 5.0 supports the new W3C Extended Logging Format, and you can migrate any compliant log file to IIS 5.0. IIS 5.0 logs are stored in ASCII (text) files. If you want to preserve logging information from the source server, you can copy ASCII data from your log files to the IIS 5.0 log files.

The primary difference between UNIX and Windows 2000 Server logging is that UNIX log files are generally stored and viewed in plain text, but Windows 2000 Server provides a graphical user interface (GUI), called Event Viewer, for logging administration and viewing.

IIS 5.0 provides several features you can use to customize logged information, and you can either log to a text file or to an Open Database Connectivity (ODBC) Data Source Name (DSN) for dynamic evaluation. For more information about logging, see the "Logging Site Activity" topic in the IIS 5.0 online product documentation.

Migrating Configuration Settings

Web servers—whether they are IIS 5.0, Netscape, Apache, or some other type—perform many of the same basic functions, and therefore offer many similar configuration options. However, the way in which you configure a server and the way settings are named can vary a great deal from one server to the next. This section describes the IIS user interface. Along with this article, I have provided specific information comparing IIS configuration settings with settings on Apache HTTP Server and Netscape Enterprise Server.

IIS 5.0 uses property sheets to provide a GUI for server configuration. You open property sheets from the IIS 5.0 snap-in of the MMC by right-clicking the item you want to configure, and then clicking Properties. For information about IIS 5.0 configuration options, see the "Server Administration" topic in the IIS 5.0 online product documentation.

Using the IIS 5.0 metabase, you can configure the server with greater granularity at the computer, Web site, virtual directory, directory, and file level. For more information, see the "Introduction to the IIS Metabase" topic in the IIS 5.0 online product documentation.

If you're new to Windows or IIS, here are a few tips:

When in doubt, right-click. When you're running Windows, right-clicking a window or an object reveals a menu of useful operations. For example, in the IIS snap-in, right-click an object such as the Administration Web Site or Default Web Site, and then click Properties. Then at the top of the dialog box, click the tab that corresponds to the configuration options you want to set.
If you get stuck, click the Help button. Click the Help button that appears in most dialog boxes to open a topic specific to that dialog box. You can also open the in-depth IIS 5.0 online product documentation as follows: In the left pane of the IIS snap-in window, click the Default Web Site and verify that it's running. Then at the top of the IIS snap-in window, click Help, and then click Help on Internet Information Services. From Windows 2000 Server Help, you can open IIS Help from within the "Internet Information Services" topic.

Remember that the IIS snap-in isn't Windows Explorer. Although the IIS snap-in and Windows Explorer look very similar, you use them for different purposes. You configure Web site, FTP site, and Web administration properties in the IIS snap-in. You can also create virtual directories for a Web or FTP site in the IIS snap-in, but only in Windows Explorer can you actually manage files and directories, performing operations such as:
- Copying files and directories (or folders) to your Web and FTP site directories
- Creating, moving, and deleting files and directories
- Setting NTFS permissions for files and directories
- Defining network file sharing for files and directories
Configure IIS 5.0 to recognize both Windows and UNIX-style home page names. To make migrating UNIX Web sites easier, specify the following five home page names in IIS Web Site Properties:
- Index.htm
- Index.html
- Default.htm
- Default.html
- Default.asp
This will cover nearly all cases for both UNIX and Windows Web sites.

Securing the Server

Once you've migrated Web content and applications to IIS 5.0, you need to configure security. This section discusses the basics of securing your Web server: migrating user and group accounts, migrating certificates, setting NTFS file and directory permissions, and setting IIS 5.0 permissions. For more in-depth information, see the security topics in the IIS 5.0 and Windows 2000 Server online product documentation. For additional details on security, see https://www.microsoft.com/technet/security/default.mspx.

Migrating Users and Groups

An important component of migration is transferring the identities and passwords of system users and groups to the new server. To make this easier, you can use Addusers.exe, a utility for adding user accounts to Windows 2000 Server, included on the Microsoft Windows 2000 Resource Kit companion CD. If you're migrating from Netscape Enterprise Server 3.5, consider using the IIS Migration Wizard included on the Resource Kit companion CD to automate the migration of your local user database.

You also need to configure security on the user and group accounts, and you might want to create new group identities to enhance security. For information about doing this, see the Windows 2000 Server online product documentation.

Setting NTFS Permissions

To protect your Web server from unwanted intrusions, you can set access permissions by user and group account for each file or directory stored in the Windows NTFS file system. Permissions set on a directory apply to each file within the directory. However, if a file within the directory has more restrictive settings, the more restrictive settings apply. For information about setting NTFS permissions, see the "Setting NTFS Permissions for a Directory or File" topic in the IIS 5.0 online product documentation. Note that you cannot set these access permissions for files and directories stored in a FAT file system.

The following are a few guidelines for configuring NTFS permissions for user and group accounts used by IIS 5.0:

Anonymous User During installation, the IIS 5.0 Web and FTP services are assigned a default user account, called IUSR_computername, for anonymous users. Do not make this account a member of any privileged group.
IIS Admin Service Do not give the IIS Admin Service the right to log on as the LocalSystem account.
Test It's a good idea to create a Test group account to which you can give enlarged access permissions, such as Write or Execute, needed by application developers and testers.
Full Control Only two accounts should be always given NTFS Full Control permissions: LocalSystem and Administrator. On selected files, you might want to also give full control to Owner/Creator.

Setting IIS 5.0 Permissions

You set additional access permissions for Web users in the IIS snap-in. On way to set up basic IIS 5.0 security is using the Permissions Wizard. To start the wizard, in the IIS snap-in select the Web site or directory for which you want to set permissions, click Action on the toolbar, point to All Tasks, and then click Permissions Wizard.

You can also configure security on Web Site property sheets. The following are some rules of thumb for setting IIS 5.0 permissions based on the type of access you want to provide. You might need to implement security differently than described here, depending on the requirements of your particular system. For more information about setting access permissions, see the "Access Control" topic in the IIS 5.0 online product documentation.

Note: If NTFS file and directory access permissions do not match the access permissions set in the IIS snap-in, the more restrictive settings take effect.

Web and FTP Site Anonymous Access To protect the information on your computer, restrict access by anonymous users. To do this, in the IIS snap-in deny all access to the anonymous user account, which is IUSR_computername by default. Next, select the specific files and directories under the root to which you want to allow anonymous access and enable the appropriate permissions for the anonymous user account. To override the access restrictions you set at the root level for these files and directories, clear the Allow inheritable permissions from parent to propagate to this object check box.
Web and FTP Site Authenticated Access To require users to provide a valid user name and password in order to access a Web or FTP site, in the IIS snap-in disable anonymous access on the Directory Security tab of Web Site Properties or FTP Site Properties. For Web sites, you can then select the type of authentication: Basic, Digest, or integrated Windows authentication. For more information, see the "Authentication" topic in the IIS 5.0 online product documentation.

By default IIS 5.0 attempts to authenticate Web and FTP users from the local user database. For a Web site, you can change authentication to the domain user database from within the IIS snap-in. For an FTP site, you must modify the DefaultLogonDomain metabase property for the FTP service. To do this, you can use the IIS Administration Script Utility (Adsutil.exe), installed with IIS 5.0, as follows:

At the command prompt, type:

adsutil.exe set msftpsvc/DefaultLogonDomain "Name of Your Domain"

Note: To set up an FTP site where users can upload files, but not see files already uploaded to the site by other users, use virtual directories. Enable Write, but not Read, permission for the user accounts. Give Read permission to the Administrator account only.

Setting Permissions Based on Content

The following table provides guidelines for setting NTFS and IIS 5.0 security on a directory, based on its type of content.

Basic Web Security Settings

Content	Directory Name/Type	NTFS Account	NTFS Directory Permissions	IIS 5.0 Virtual Directory Permissions
Static (.htm, .gif, .jpg, and so on.)	Content	Authenticated Users	Read	Allow Anonymous Access. Allow Read permissions. Directory Browsing okay.
ASP pages	ASP pages	Authenticated Users	Execute	Allow Anonymous Access. Allow Read permissions. For Execute Permissions, choose Scripts only. Directory Browsing okay.
ASP-page includes	Includes	Authenticated Users	Execute	Allow Read permissions.
Server-side includes	Content	Authenticated Users	Execute	Disable Anonymous Access. For Execute Permissions, choose Script or Execute permissions.
CGI scripts	Scripts	Authenticated Users	Execute	Disable Anonymous Access. For Execute Permissions, choose Scripts only. Disable Read, Write, and Directory browsing.
ISAPI server extensions	ISAPI Extensions	Authenticated Users	Execute	Disable Anonymous Access. For Execute Permissions, choose Execute. Disable Read, Write, and Directory browsing.
ISAPI filters	ISAPI Filters	Authenticated Users	Execute	Disable Anonymous Access. For Execute Permissions, select Execute. Disable Read, Write, and Directory browsing.
Executable CGI applications	CGI bin	Authenticated Users	Execute	Disable Anonymous Access. For Execute Permissions, choose Execute. Disable Read, Write, and Directory browsing.
Databases	Databases	For remote databases, share out the directory and enable the Guest account for the IIS 5.0 Web service that accesses the share.	Security depends on the database. * See note that follows.	Security depends on the database.
Microsoft® Component Object Model (COM) and Microsoft® Distributed Component Object Model (DCOM) components	Components		** See note that follows.	Disable Anonymous Access. Enable Execute permissions only. Disable Read, Write, and Directory browsing.
Downloadable executable files	Downloads	Authenticated Users	Read	Enable Read permissions only. Disable Execute permissions or the file will execute rather than download.

Note: *Whenever possible, keep Microsoft Access databases on the same computer as IIS 5.0. There isn't a secure way for an IIS 5.0 application to connect to an Access database located on a networked drive.

**In general, you should place COM and DCOM components in a directory with Execute permissions only. Place COM and DCOM components that need to write to data files in the same directory with the data files and enable both Execute and Write permissions. Be aware that setting Write permissions on a component directory creates the potential for intruders to upload and run an executable file on your server.

To help prevent unauthorized access to a directory

In the IIS snap-in, disable Directory Browsing for that directory and its parent directory.
Set up auditing on the directory so you can monitor any suspicious activity.

Migrating Security Certificates

One approach to migrating security certificates is using the Web Server Certificate Wizard. You can start the wizard in the IIS 5.0 snap-in from the Directory Security tab of Web Site Properties. For information about using the wizard, see the "Using the New Security Task Wizards" topic in the IIS 5.0 online product documentation.

Another approach to migrating a certificate is saving it as a .cer file and copying it to the new Windows 2000 Server. You can install the certificate by double-clicking the .cer file and then using the Web Server Certificate Wizard to bind the certificate to the appropriate Web site. Remember to create a backup copy of server and client certificates and keys in case they become corrupted during the transfer.

Integrating UNIX and Windows 2000 Server Security

Windows 2000 Server and UNIX handle their respective user accounts very differently, complicating security implementation in a mixed environment. If you plan a multi-step approach to migrating from UNIX to the more secure Windows 2000 Server environment, you might find it necessary to use a mixed authentication scheme during the early stages.

Windows 2000 Server implements the Kerberos v5 authentication protocol, a mature Internet security standard, as the default protocol for network authentication. This provides a foundation for authentication interoperability with other platforms, such as UNIX. For more information, see the security topics in the Windows 2000 Server online product documentation.

Migrating from Apache HTTP Server

This section provides additional details about migrating from Apache HTTP Server. It briefly compares Apache with IIS 5.0 and provides tables that match Apache directives to their corresponding IIS 5.0 properties. In this section:

Comparing Apache and IIS 5.0 Terminology

Migrating Apache Directives

Migrating Custom Modules

Comparing Apache and IIS 5.0 Terminology

The following are some Apache features that have different names and implementations on IIS 5.0.

Administration Interface

IIS 5.0 properties, which correspond with Apache directives, are contained in the metabase. The most significant difference you'll find between administering Apache and IIS 5.0 is the fact that IIS 5.0 provides graphical tools, the IIS snap-in and the Internet Services Manager (HTML), for configuring the metabase, whereas Apache provides plaintext configuration files, usually httpd.conf, srm.conf, and access.conf, in which you configure directives.

Apache administrators who prefer to work from the command line and to script routine tasks will be happy to know that IIS 5.0 also provides a set of tools for programmatic administration. These tools are described in the "Administering IIS Programmatically" topic in the IIS 5.0 online product documentation. For more information about using the tools, see "Administering an ISP Installation" in this book.

Apache administrators will also find that Windows 2000 Server commands are similar to familiar UNIX commands. Additional utilities for command-line administration are included with the Windows NT Services for UNIX, a suite of interoperability tools and utilities provided by Microsoft for Windows NT Server and UNIX. At the time of this writing, a version of these tools is under development for Windows 2000.

Security

If you're accustomed to Apache security, be aware that Allow and Deny access permissions are processed in a different order by Windows 2000 Server, producing results you might not expect. Windows 2000 Server always honors a Deny. If you deny permission to a group, and then try to allow permission to an individual member of the group, the member still will not be able to access the resource.

Also note that, unlike in Apache, CGI-bin is contained within the IIS 5.0 Web space. This is because NTFS and IIS 5.0 security sufficiently protects it from attack.

User Directory

You set up individual user Web sites differently on IIS 5.0 than on Apache HTTP Server. With Apache, you add a user to the machine, and then create a <~username> directory for the user's Web pages. The server then responds to the following request by displaying the user's Web pages:

https://www.server.com/\<~username>

IIS 5.0 does not automatically create virtual directories for users. Instead, to add a user Web site you create a <username> directory for their files in Windows Explorer, create a virtual directory named <~username> in the IIS 5.0 snap-in, and then point it to the <username> directory.

Virtual Host

The IIS 5.0 counterpart to the Apache Virtual Host is a virtual server. As with Apache virtual hosts, each virtual server in IIS 5.0 has its own domain name and IP address. Apache also includes "name-based" virtual hosts in this category. IIS 5.0 supports this feature in the same manner as Apache, through host header names, but doesn't have a specific term for it.

Alias/Directory Alias

In IIS 5.0 an alias or directory alias is called a virtual directory. In Apache, you use the RedirectMatch/AliasMatch command to map a directory alias to a real directory located on the hard disk, as shown in the following example:

Alias /folder "c:/apache/htdocs/newfolder/"

To do the same thing in IIS 5.0, in the IIS snap-in, create a virtual directory and point it to the real directory in Windows Explorer. Using the previous example, the virtual directory would be named "folder," and you would point it to c:\apache\htdocs\newfolder\. Note the change from using forward slashes (/) in the UNIX pathname to backslashes (\) in the Windows path.

Custom Error Messages

In Apache, you provide custom error messages by editing the Error Document and referring to it by using the command:

ErrorDocument 404 https://www.domain.com/404.html

To customize error messages in IIS 5.0, in the IIS snap-in open Properties for the Web site. On the Custom Errors tab, you'll see the location of the error message files. From here, you can map custom error messages to a file or to a URL on the local server.

Redirects

In Apache you use the following .htaccess command to redirect a user to another file:

Redirect /oldfile.html https://www.domain.com/path/to/new/file

There are two ways to implement a redirection in IIS 5.0:

In the IIS snap-in open Properties for the Web site. On the Home Directory tab, select A redirection to a URL, and choose the appropriate options.
Or, put a Default.asp file, containing the following code, in the same directory as the old file:

Response.Redirect /oldfile.html https://www.domain.com/path/to/new/file

Migrating Apache Directives

This section lists the core Apache HTTP Server 1.3 directives and lists corresponding IIS 5.0 metabase properties, as well as how to configure each property in the IIS snap-in. There is not a one-to-one correspondence between Apache and the IIS 5.0 configuration options: not all IIS 5.0 settings exist on Apache and vice versa. This section does not cover IIS 5.0 properties that have no counterpart in Apache. For in-depth information about IIS 5.0 configuration parameters and metabase properties, see the "Administrator's Reference" topic in the IIS 5.0 online product documentation.

Server Directives

Apache httpd.conf Directives and Corresponding IIS 5.0 Properties

Apache Directive	IIS Metabase Property	IIS Snap-in Configuration
AccessConfig	Not applicable	In IIS 5.0 there is no separate access configuration file.
BindAddress	ServerBindings	For multihoming, IIS 5.0 allows you to specify Virtual Hosts, or virtual servers. To configure a virtual server, right-click a Web site, choose Properties, and then select the Web Site tab. Click the Advanced button on the Web Site tab, and add the correct IP address and Transmission Control Protocol (TCP) port.
CacheNegotiatedDocs	Not applicable	You can specify an expiration date for content in a browser or proxy cache. To configure this setting, right-click a Web site, choose Properties, and then select the HTTP Headers tab. Select the Enable Content Expiration check box and enter expiration dates.
ErrorLog	Not applicable	All errors for the Inetinfo process are logged to the Windows Event Log and do not need to be specified in the Web server configuration.
ExpiresActive	HttpExpires	In IIS 5.0 content expiration is disabled by default. To enable content expiration, rightclick a Web site, choose Properties, select the HTTP Headers tab, and then check the Enable Content Expiration check box.
ExpiresDefault	HttpExpires	In IIS 5.0 content expiration is disabled by default. To enable content expiration, rightclick a Web site, choose Properties, and then select the HTTP Headers tab. Select the Enable Content Expiration check box, and then set the parameters.
Header	HttpCustomHeaders	To create a custom header, right-click a Web site, choose Properties, and then select the HTTP Headers tab. In the Custom HTTP Headers box, click Add, and then type a name and a value for the header.
HostnameLookups	EnableReverseDNS	IIS 5.0 log files capture the IP addresses of Web site visitors. To look up the host name of a given IP address, enable the metabase property EnableReverseDns. To set IP address restrictions, right-click a Web site, click Properties, click the Directory Security tab, and then click the Edit button in the IP Address and Domain Name Restrictions box.
IdentityCheck	LogExtFileUserName	To log the identity of each Web site visitor, right-click a Web site, click Properties, and then click the Web Site tab. Select the Enable Logging check box, and then click Properties. Click the Extended Properties tab, and then select the User Name check box.
<IfDefine>	Not applicable
Include	Not applicable	This directive is not needed in IIS 5.0.
KeepAlive	AllowKeepAlive, MaxConnections	In IIS 5.0, HTTP Keep-Alives are enabled by default. To disable Keep-Alives, right-click a Web site, and choose Properties. On the Web Site property sheet, clear the HTTP KeepAlives Enabled check box. You set the maximum number of connections and the connection time-out in this location as well.
KeepAliveTimeout	Connection Timeout	To set the Keep-Alive time-out, right-click a Web site and then choose Properties. In the Connections box on the Web Site property sheet, select the Limited To radio button and, in the Connection Timeout box, specify the number of seconds you want before an idle connection times out.
Listen	ServerBindings	IIS 5.0 allows you to specify a port for namebased virtual hosts. To configure this setting, right-click a Web site and then choose Properties. On the Web Site property sheet, click the Advanced button, and then enter the TCP port number.
ListenBacklog	ServerListenBacklog	This is a service-level property, and it cannot be configured from the MMC.
MaxClients	MaxConnections	To configure this property, right-click a Web site, choose Properties, and then select the Web Site tab. Select the Unlimited or the Limited To radio button. For limited connections, in the Connection Timeout box specify the number of seconds before a connection should time out.
MaxKeepAliveRequests	Not applicable	There is no equivalent in IIS 5.0.
MaxRequestsPerChild	Not applicable	IIS 5.0 uses a limited number of processes, and there is no need to set the maximum number of requests per child process as there is with Apache.
Min/MaxSpareServers	Not applicable	IIS 5.0 uses a limited number of processes, and there is no need to account for this number.
NameVirtualHost	ServerBindings	An Apache virtual host corresponds to an IIS 5.0 Web site. In IIS 5.0 you can create virtual hosts either by using multiple IP addresses or by using a single IP address and HTTP 1.1 Host Header Names. To create a virtual host with a unique IP address, right-click a Web site, choose Properties, and then select the Web Site tab. Click the Advanced button and specify the IP address. To specify a host header name for a name-based virtual host, right-click a Web site, and then choose Properties. On the Web Site property sheet, click the Advanced button and enter the host header name for the IP address you want to use.
PidFile	Not applicable	IIS 5.0 does not offer the option to log its process ID to a file.
Port	ServerBindings	To set the port to which your Web server should listen, right-click a Web site, choose Properties, and then select the Web Site tab. Enter a port number in the TCP Port box.
Proxy Cache Parameters	Not applicable	IIS 5.0 cannot function as a proxy server on its own. Microsoft Proxy Server is recommended for use with Windows 2000 Server.
ProxyRequests	Not applicable	See the previous note for Proxy Cache Parameters.
RlimitCPU	CpuLimit	IIS 5.0 has a number of properties that specify CPU throttling parameters. To specify performance parameters in the IIS snap-in, right-click a Web site, choose Properties, click the Performance tab, and then choose the settings you want.
ScoreBoardFile	Not applicable	IIS 5.0 does not have a Scoreboard file.
ServerAdmin	Not applicable	IIS 5.0 does not have a configuration setting for displaying the administrator's name and contact information. You can add this information to your pages by using ASP.
ServerAlias	ServerBindings	IIS 5.0 allows you to specify a host header name for a name-based virtual host. To configure this setting, right-click a Web site, and then choose Properties. On the Web Site property sheet, click the Advanced button and enter the host header name for the IP address you want to use.
ServerName	Not applicable	The host name for your Web server is stored in your Domain Name System (DNS) server and is not required in IIS 5.0 configuration properties. However, you must specify an IP address and HTTP port in order for IIS 5.0 to serve content.
ServerPath	Path	This directive is migrated to the Path property of the IIS Virtual Directory object. This property defines the path from a virtual directory to its corresponding physical directory. You configure this property in the IIS snap-in when you create a new virtual directory, by specifying from which directory the content is to be served.
ServerRoot	Not applicable	IIS 5.0 does not have the same concept of server root and does not have a corresponding property.
ServerType	Not applicable	IIS 5.0 always runs in stand-alone mode. Once IIS 5.0 is started, its process remains in memory and listens to the specified HTTP port. You can't configure IIS 5.0 to dynamically load as with an inetd server on Apache.
StartServers	Not applicable	See the previous note for Min/MaxSpareServers.
Timeout	ConnectionTimeout	You can specify the maximum amount of idle time to elapse before your server drops a connection. To configure this setting, right-click a Web site, choose Properties, and then select the Web Site tab. Enter the maximum timeout value in the Connection Timeout box.
TransferLog	Not applicable	IIS 5.0 does not use a transfer log.
User/Group	Not applicable	When IIS 5.0 is installed, by default it creates the IWAM user account under which the server runs. You must be logged on as an administrator or operator in order to start and stop the IIS 5.0 service, but the process does not retain your permissions.
<VirtualHost>	Not applicable	For each Apache virtual host, you should create a new IIS Web site and apply the directives contained between the <VirtualHost> tags, including server bindings, to the Web site. You might need to correct the IP address of the new Web site, as well.

Resource Configuration

Apache srm.conf Directives and Corresponding IIS 5.0 Properties

Apache Directive	IIS Metabase Property	IIS Snap-in Configuration
AccessFileName	Not applicable	You can refer to these parameters for mapping access configuration information. However, in IIS 5.0 there is no separate access configuration file. IIS 5.0 security is integrated with Windows 2000 security. To limit access to a site or directory by user, you must configure a new user account in the Windows 2000 Server User Manager. You can also classify individuals or groups as "Web site Operators" with limited authority to administer a Web site. They do not have to be Windows 2000 Administrators. To define Web site Operators, in the IIS snap-in right-click a Web site, click Properties, and then click the Operators tab.
AddDescription	Not applicable	There is no corresponding property in IIS 5.0.
AddEncoding	MimeMap	To map a file extension to a MIME type, right-click a Web site, choose Properties, and then select the HTTP Headers tab. In the Mime Map box, click File Types, and then click New Type. Or, to edit an existing MIME type, select a file type in the list, and then click Edit. Type the file extension and associated MIME type in the appropriate boxes.
AddIcon	Not applicable	IIS 5.0 uses the standard Windows 2000 icons when displaying a directory. You cannot specify a substitute icon.
AddLanguage	Not applicable	There is no corresponding property in IIS 5.0.
AddType	MimeMap	To add MIME types, right-click a Web site, choose Properties, and then select the HTTP Headers tab. In the Mime Map box, click File Types, and then click New Type. Type the file extension and the associated MIME type in the appropriate boxes.
Alias	Not applicable	To create a virtual directory, right-click the FTP or Web site, click New, and select Virtual Directory. Use the New Virtual Directory Wizard to complete this task.
AliasMatch	Not applicable	There is no direct equivalent in IIS 5.0 because there is no concept of regular expressions. See the previous note for Alias.
DefaultIcon	Not applicable	Windows 2000 Server offers a standard default icon for file types that do not have a preset icon in the file system.
DefaultType	MimeMap	IIS 5.0 contains a comprehensive list of MIME types. You can add new MIME types to the list should you need to serve a new MIME type. To view default MIME types, right-click a Web site, choose Properties, and then select the HTTP Headers tab. Click the File Types button in the MIME Map section of the tab.
DirectoryIndex	EnableDirBrowsing	To allow directory browsing, right-click a Web site, choose Properties, select the Home Directory tab, and then select the Directory Browsing check box. IIS 5.0 does not allow you to specify a prewritten HTML document as a directory index.
DocumentRoot	Path	The Path property of the IIS Root object defines the path from a Web site home directory to its corresponding physical directory. To configure this property in the IIS snap-in, right-click a Web site, choose Properties, and select the Home Directory tab. Then specify the location of the home directory (document root).
ErrorDocument	HttpErrors	To enable custom error messages, right-click a Web site, choose Properties, and then select the Custom Errors tab. In cases where the custom error page is a standard HTML page, you need only copy the file to the IIS 5.0 system in order to complete the migration. In the case of CGI custom errors, you need to test the CGI scripts after moving them to IIS 5.0.
FancyIndexing	Not applicable	IIS 5.0 offers default indexing only.
HeaderName	Not applicable	There is no corresponding property in IIS 5.0.
IndexIgnore	Not applicable	There is no corresponding property in IIS 5.0.
LanguagePriority	Not applicable	There is no corresponding property in IIS 5.0.
MetaDir	Not applicable	You do not need to specify a Meta Directory to serve HTTP header information. To specify custom HTTP headers, right-click a Web site, choose Properties, select the HTTP Headers tab, and then click Add. Specify a header name and value in the appropriate boxes.
MetaSuffux	Not applicable	See the previous note for MetaDir.
ReadmeName	Not applicable	IIS 5.0 does not specify a default name for ReadMe files.
Redirect	HttpRedirect	To redirect a request to another resource, right-click a Web site, choose Properties, select the Home Directory tab, and then select A redirection to a URL. Type the URL in the Redirect to box.
RedirectTemp	HttpRedirect	In IIS 5.0, redirections are temporary by default.
RedirectPermanent	HttpRedirect	To make a redirection permanent, follow the steps previously given for Redirect. In addition, select the A permanent redirection for this resource check box after typing the URL.
ResourceConfig	Not applicable	This information does not directly translate to an IIS 5.0 property.
ScriptAlias	Not applicable	To replicate this information, create a Virtual Directory object using the Apache path information and set the IIS AccessExecute property to TRUE. Any virtual directory can execute scripts when the "Allow Scripts" permission is enabled in the IIS snap-in. To configure this property, right-click a Web site, choose Properties, select the Home Directory tab, and then select the Scripts only or the Scripts and Executables option in the Execute Permissions box.
TypesConfig	MimeMap	To view or configure MIME types, right-click a Web site, choose Properties, and then select the HTTP Headers tab. Click the File Types button in the MIME Map section of the tab.
UserDir	Not applicable	IIS 5.0 does not offer a default directory for ISP user httpd directories. You must create a virtual directory for each user in the IIS snap-in, and then point it to the user directory in Windows Explorer.

Access Configuration

Apache access.conf Directives and Corresponding IIS 5.0 Properties

Apache Directive	IIS 5.0 Metabase Property	IIS Snap-in Configuration
AllowOverride	Not applicable	IIS 5.0 utilizes Windows 2000 security in order to restrict access to a site, so htaccess files are not necessary to control access. Note that in IIS 5.0 you can classify individuals or groups as "Web site Operators" with limited authority to administer a Web site. They do not have to be Windows 2000 Administrators. To define Web site Operators, in the IIS snap-in right-click a Web site, click Properties, and then click the Operators tab.
AuthDBGroupFile	Not applicable	Following migration, you must reconfigure all security on IIS 5.0, including users and groups.
AuthDBUserFile	Not applicable	See previous note for AuthDBGroupFile.
AuthDBMGroupFile	Not applicable	See previous note for AuthDBGroupFile.
AuthDBMUserFile	Not applicable	See previous note for AuthDBGroupFile.
AuthName	Realm	See previous note for AuthDBGroupFile.
AuthType	AuthBasic	In Apache, AuthType is usually set to Basic. The corresponding IIS 5.0 metabase property is AuthBasic. To configure authentication, right-click the virtual directory for which you want to set authentication, click Properties, and then click Directory Security. In the Enable anonymous access and edit the authentication methods for this resource box, click Edit, and then choose an authentication method.
<Directory>	Not applicable	You'll need to migrate defined directives enclosed in this tag to the corresponding IIS 5.0 virtual directory.
<DirectoryMatch>	Not applicable	You'll need to migrate defined directives enclosed in this tag to the corresponding IIS 5.0 virtual directory.
<Files>	Not applicable	You'll need to migrate defined directives enclosed in this tag to the corresponding IIS 5.0 virtual directory.
<FilesMatch>	Not applicable	You'll need to migrate defined directives enclosed in this tag to the corresponding IIS 5.0 virtual directory.
<Limit>	Not applicable	There is no equivalent in IIS 5.0.
<LimitExcept>	Not applicable	There is no equivalent in IIS 5.0.
<Location>	Not applicable	You'll need to migrate defined directives enclosed in this tag to the corresponding IIS 5.0 virtual directory.
<LocationMatch>	Not applicable	You'll need to migrate defined directives enclosed in this tag to the corresponding IIS 5.0 virtual directory.
Options, ExecCGI	AccessExecute	You can set most of the IIS 5.0 equivalents of the Options parameter by enabling execution or script permissions for any virtual directory. To do this, in the IIS snap-in right-click the directory for which you want to set permissions, and then click Properties. Click the Home Directory tab, and then set permissions in the Execute Permissions box.
Options Indexes	EnableDirBrowsing	To enable users to view directory contents, in the IIS snap-in right-click the directory for which you want to enable browsing, and then click Properties. Click the Home Directory tab, and then select the Directory browsing check box.
Server status reports	Not applicable	IIS 5.0 does not provide server status reports.

Migrating Custom Modules

In Apache, custom modules extend the capabilities of the Web server. With IIS 5.0, there are a number of options for extending server capabilities. There is no direct way to migrate a custom module, so it must be recreated in IIS 5.0 using one of the following approaches:

ASP with COM components or ISAPI DLLs can be written to duplicate most of the desired functionality, such as database or file system access. There are a number of built-in ASP objects to speed this task, such as FileSystemObject, which provides the methods, properties, and collections you use to access the file system.
ISAPI filters allow you to implement custom authentication and logging, as well as URL rewriting, or "munging."

For more information about using these technologies, see the IIS 5.0 section of the SDK documentation on MSDN.

Migrating from Netscape Enterprise Server

This section provides additional details about migrating from Netscape Enterprise Server (NES). It briefly compares NES with IIS 5.0 and provides tables that match NES configuration settings to their corresponding IIS 5.0 properties. In this section:

Comparing NES and IIS 5.0 Terminology

Migrating NES Configuration Settings

Comparing NES and IIS 5.0 Terminology

Here are some essential terms used in NES with explanations of their equivalents in IIS 5.0.

Hardware Virtual Server In NES, a "hardware virtual server" is a site with a separate IP address; the term implies a number of Web sites on a single computer, each with a separate IP address. The counterpart in IIS 5.0 is a virtual server. As with NES hardware virtual servers, each virtual server in IIS 5.0 has its own domain name and IP address.
Software Virtual Server In NES, a "software virtual server" is a site that may share an IP address with one or more other sites. In IIS 5.0, you can assign any number of sites to a single IP address and distinguish them by using host headers, but no special term is employed to describe them.

Multiple Instances of the Server In NES, you host multiple Web sites on one computer by using multiple instances of the server if:
- The operating system does not have strong thread support.
- The operating system does not allow a single process to schedule threads on more than one processor.
- Multiple instances of the server provide full process isolation, protecting a Web site from failure should another site on the same system crash.
  
  It isn't appropriate to run multiple instances of IIS 5.0, because IIS 5.0 running on Windows 2000 Server offers thread support across multiple processors, full configuration of each site hosted by the server, and process isolation for applications.
Server Manager Server Manager is the NES administration tool equivalent to the IIS snap-in for the MMC.
Directory Aliases In NES, you can map an alias such as this:

/admin-offices/student

to a real directory such as this:

/admin-offices/studaffairs/cpc

In IIS 5.0 a virtual directory corresponds to an alias. You can use the New Virtual Directory Wizard to create a virtual directory. To start the wizard, in the IIS snap-in select the Web site for which you want to define a virtual directory, click the Action button, point to New, and then select Virtual Directory. For more information, see the "Creating Virtual Directories" topic in the IIS 5.0 online product documentation.

Migrating NES Configuration Settings

The tables in this section list NES 3.5 settings along with their corresponding metabase properties, as well as how to configure the property in the IIS 5.0 snap-in. Each heading within this section corresponds to a tab within the NES Server Manager. Note that IIS 5.0 administrative settings, or properties, can be set on the server, site, directory, or even file level. Most NES settings apply to the site level only.

Server Preferences

NES 3.5 Server Preferences and Corresponding IIS 5.0 Properties

NES 3.5 Configuration Setting	IIS Metabase Property	IIS Snap-in Configuration
Bind To Address	ServerBindings	Right-click a Web site, click Properties, and then click the Web Site tab. The setting appears in the IP Address box.
Convert 2.0 ACL file	Not applicable	There are no settings to migrate.
Dynamic Configuration Files	Not applicable	In IIS 5.0 you can classify individuals or groups as "Web site Operators" with limited authority to administer a Web site. They do not have to be Windows 2000 Administrators. To define Web site Operators, in the IIS snap-in right-click a Web site, click Properties, and then click the Operators tab.
Enable DNS	Not applicable	In IIS 5.0 you can restrict access by domain name. However, this feature can have a significant negative effect on server performance.
Encryption	Not applicable	You can install a server certificate and enable encryption by using the Security Task Wizards.
Error Responses	HttpErrors	When migrating a custom error page that is a standard HTML page, you need only copy the file to the IIS 5.0 system to complete the migration. In the case of CGI custom errors, you need to test the CGI scripts after moving them to IIS 5.0. To enable custom error messages in the IIS 5.0 snap-in, right-click a Web site, choose Properties, and then select the Custom Errors tab.
HTTP Persistent Connection Timeout	ConnectionTimeout	Right-click a Web site, click Properties, and then click the Web Site tab. The setting appears in the Connection Timeout box.
Maximum Simultaneous Requests	MaxConnections	Right-click a Web site, click Properties, and then click the Web Site tab. The setting appears in the Limited To box.
MIME Types	MimeMap	Right-click a Web site, click Properties, click the HTTP Headers tab, and then select the File Types button.
MTA Host and NNTP Host	Not applicable	Windows 2000 Server includes Simple Mail Transfer Protocol (SMTP) and Network News Transfer Protocol (NNTP) services. For more information, see the Windows 2000 Server online product documentation.
On/Off	Not applicable	Select a Web site you want to stop or start, and then click the Stop or Start toolbar button.
Restore Configuration	Not applicable	IIS 5.0 supports configuration backup. To back up the IIS 5.0 metabase, in the IIS snap-in rightclick the computer name, choose Backup/Restore Settings, click Backup, type a name for the backup file, and then click OK.
Restrict Access	Not applicable	IP address restrictions are not migrated because they are defined differently in IIS 5.0. To set IP address restrictions, right-click a Web site, click Properties, click the Directory Security tab, and then click the Edit button in the IP Address and Domain Name Restrictions box.
Server Name	ServerBindings	The setting is migrated to a host header name. For information about this feature, see the "Naming Web Sites" topic in the IIS 5.0 online product documentation.
Server Port	ServerBindings	Right-click a Web site, click Properties, and then click the Web Site tab. The setting appears in the TCP Port box.

Applications

NES CGI applications can be ported directly to run on IIS 5.0, or they can be converted to ISAPI or ASP. For a discussion about making this decision, see my TechNet article Migrating CGI Web Applications to IIS: Choosing an Approach.

NES 3.5 Application Settings and Corresponding IIS Properties

NES 3.5 Configuration Setting	IIS Metabase Property	IIS Snap-in Configuration
CGI Directory	Not applicable	You must create a virtual directory for CGI applications and enable Execute permissions on it.
CGI File Type	Not applicable	There is no corresponding property in IIS 5.0.
Java	Not applicable	The Java virtual machine is already enabled on IIS 5.0, so there is no need to migrate this setting.
Query Handler	Not applicable	There is no corresponding property in IIS 5.0.
Server Side JavaScript	Not applicable	IIS 5.0 includes server-side support for JScript and VBScript. There is no need to migrate a switch setting for these languages.
ShellCGI Directory	Not applicable	You must create a virtual directory for ShellCGI applications and enable Execute permissions on it.
URL Prefix	Not applicable	You must create a corresponding virtual directory.
WAI Management	Not applicable	This setting has to do with the Internet Inter-ORB Protocol (IIOP); IIS 5.0 uses the COM and DCOM object models.
WinCGI Directory	Not applicable	WIN CGI is not supported in IIS 5.0. For information on dealing with this, see my TechNet article, Migrating CGI Web Applications to IIS: Choosing an Approach.

Server Status

NES 3.5 Server Logging and Corresponding IIS 5.0 Properties

NES 3.5 Configuration Setting	IIS 5.0 Metabase Property	IIS Snap-in Configuration
Archive Log	Not applicable	There is no corresponding property in IIS 5.0. When you set your logging preferences in IIS 5.0, you can use Microsoft Windows 2000 Backup or other third-party backup tools to archive the log files and remove them from the server as appropriate.
Generate Report	Not applicable	There is no corresponding property in IIS 5.0. You can customize and extend IIS 5.0 logging in the IIS snap-in. You can set viewing options and filters in the Windows 2000 Server Event Viewer.
Log Preferences	Not applicable	To enable logging and set preferences, right-click the Web site, and on the Web Site tab, select the Enable Logging check box. In the Active Log Format list, choose W3C Extended Log File Format. Then click Properties and complete the configuration.
Log Client Accesses	LogType	See previous note for Log Preferences.
Record Domain Names/IP Addresses	LogExtFileClientlp, LogExtFileComputerName	See previous note for Log Preferences.
Format	Not applicable	There is no corresponding property in IIS 5.0.
Monitor Current Activity	Not applicable	There are no settings to migrate. To monitor server activity on IIS 5.0, use the Windows 2000 Server System Monitor to evaluate performance and resource consumption.
Simple Management Network Protocol (SMNP) Sub-Agent Configuration	Not applicable	There is no corresponding property in IIS 5.0.
Rotate Log	LogFilePeriod	See previous note for Log Preferences.
View Access Log	Not applicable	There is no comparable setting. You can view access logs from the Windows 2000 Server Event Viewer.
View Error Log	Not applicable	There are no settings to migrate. You can view error logs from the Event Viewer.

Configuration Styles

The settings under this heading do not migrate directly to IIS 5.0. IIS 5.0 includes support for property inheritance, which achieves much the same result as configuration styles. In the IIS snap-in, you can right-click the server and set global properties for the WWW Service. Every new Web site created on the server inherits these properties. Similarly, when you set properties for a Web site, directories created for the site inherit site properties.

Content Management

NES 3.5 Content Management and Corresponding IIS 5.0 Properties

NES 3.5 Configuration Setting	IIS 5.0 Metabase Property	IIS Snap-in Configuration
Document Footer (Footer Text)	DocFooter	You can specify a document footer for the entire IIS 5.0 server, for a single Web site, or for a directory. To configure this setting, right-click the server, a Web site, or a directory; click Properties, and then click the Documents tab.
Additional Document Directories (URL Prefix, Map to Directory)	Not applicable	This corresponds to the IIS virtual directory feature. You can use the New Virtual Directory Wizard to create a virtual directory. To start the wizard, select the Web site for which you want to define a virtual directory, click the Action button, point to New, and then select Virtual Directory.
Cache Control Directives	Not applicable	By default, HTML pages in IIS 5.0 are cached by proxy servers. The default value for ASP pages is "private," meaning they cannot be cached. You can use the Response object to control whether a proxy server caches the page.
Default MIME Type	Not applicable	IIS 5.0 includes a comprehensive list of MIME types. Should you need to serve new MIME types, you can add them to the list. To view or edit MIME types, right-click a Web site, choose Properties, and then select the HTTP Headers tab. Click the File Types button in the MIME Map section of the tab.
Directory Indexing	EnableDirBrowsing	To configure this setting, right-click a Web site, click Properties, and then click the Home Directory tab. Select the Enable Directory Browsing checkbox.
Hardware Virtual Servers (IP Address, Document Root)	ServerBindings	To configure a virtual server, right-click a Web site, choose Properties, and then select the Web Site tab. Click the Advanced button, and add the IP address and TCP port.
Home Page/Index File	DefaultDoc	To configure this setting, right-click a Web site, click Properties, and then click the Home Directory tab.
Index Filenames	DefaultDoc	See the previous note for the Home Page/Index File.
International Characters	Not applicable	For ASP pages, you specify the character set by using the Response.Charset property.
Parse Accept Language Header	Not applicable	Microsoft Indexing Service can interpret this header, in order to determine the language in which a query is being written.
Parse HTML	Not applicable	By default IIS 5.0 processes files with .stm, .shtm, or .shtml file name extensions. For information about enabling and using server-side includes, see "About Server-Side Includes" in the IIS 5.0 online product documentation.
Primary Document Directory	Not applicable	If you want to specify a primary document directory, you can use the New Virtual Directory Wizard to create a virtual directory to define it. To start the wizard, select the Web site for which you want to define a virtual directory, click the Action button, point to New, and then select Virtual Directory.
Software Virtual Servers (URL Host, Home Page)	ServerBindings	In IIS 5.0 you can assign any number of sites to a single IP address and distinguish them by using host headers, but no special term is employed to describe them. To configure a virtual server by using host headers, right-click a Web site, and then choose Properties. On the Web Site property sheet, click the Advanced button and enter the host header name for the IP address you want to use.
URL Prefix, Forward Requests To	HttpRedirect	This is called redirection in IIS 5.0. To redirect a request to another resource, right-click a Web site, choose Properties, select the Home Directory tab, and then select A redirection to a URL. Type the URL in the Redirect to box.

Web Publishing

Web publishing can be supported with client-side development and management tools such as FrontPage (a member of the Microsoft Office family) and Visual InterDev.

Agents and Search

Indexing Service, included with Windows 2000 Server, provides index and search capabilities. For more information, see the Windows 2000 Server online product documentation.

Auto Catalog

As with Agents and Search settings, IIS 5.0 uses Indexing Service to build a searchable catalog of information about the content of the Web site.

Migrating a Web Server to IIS 5.0: Basic Steps

Assessing Hardware Requirements

Preparing the Destination Server

Migrating Web and FTP Sites

Replicating and Configuring Applications

Migrating Log Files

Migrating Configuration Settings

Securing the Server

Migrating from Apache HTTP Server

Comparing Apache and IIS 5.0 Terminology

Migrating Apache Directives

Migrating Custom Modules

Migrating from Netscape Enterprise Server

Comparing NES and IIS 5.0 Terminology

Migrating NES Configuration Settings

Additional resources