Running Remote Commands

You can administer IIS from the command line two ways: locally or from a remote machine. To administer IIS locally, log on interactively to the machine’s console, open a command-prompt window, and type the command you want to run. For example, say you want to restart your IIS machine using the iisreset command. To do this, log on to the machine’s console using an account with administrator privileges, open a command prompt, and type iisreset. The result of doing this is shown in Figure 11-1. Note that to use IISReset your user account must be one of the following:

Figure 11-1: Running IISReset on the local machine as Administrator

• A member of the Administrators group on the IIS machine (such as the default Administrator account created during installation).

• A member of the Domain Admins group (if IIS is deployed in a domain instead of a workgroup scenario).

What if you want to do this remotely instead? Most admins prefer to do their work using an administrator workstation in their office instead of going to the server room to log on locally to a server. If your administrator console is a Windows Server 2003 machine, simply open a command prompt, and type iisreset computername where computername is the IP address, NetBIOS name, or DNS name of your IIS machine. The type of name you use will depend on what name resolution method you are working with and whether your IIS and administrator machines are on the same LAN or connected via the Internet. If this doesn’t work and you get a message like the one in Figure 11-2, then you probably aren’t using the right credentials to perform the action. In a domain scenario this shouldn’t be a problem since the Administrator account is a member of the Domain Admins group. In a workgroup scenario this problem may occur if the local Administrator accounts on your administrator and IIS machines have different passwords, and the simple workaround in a workgroup scenario is to make sure all your IIS machines and your administrator machine have the same passwords for their Administrator account.

Figure 11-2: Message when IISReset is run with the wrong credentials

What if you are logged onto your administrator machine using ordinary user credentials instead of the Administrator account? After all, best practices suggest you use your Administrator account only when performing administrative tasks. Wherever possible, you should use your ordinary user account for daily use such as checking mail and browsing the Web. In this case (or if the Administrator accounts on the two machines have different passwords), you can use the runas command or secondary logon to run IISReset using Administrator credentials while logged on as a different user. Figure 11-3 shows an example of using runas to run the iisreset command as Administrator while logged on as user JSmith. The example here is a workgroup scenario—in a domain-based network you would use administrator@domainname (or domainname\administrator) as credentials instead of just administrator. Note that Figure 11-3 doesn’t show the second command-prompt window that pops up to execute the iisreset command and closes immediately afterwards.

Figure 11-3: Using secondary logon to run IISReset

What if your administrator workstation is a Windows 2000 or Windows XP machine? In the case of Windows 2000, you have a problem, because the version of IISReset included with that platform is different from the one on IIS 6. If you’re using Windows XP, as I mentioned in a previous chapter, even if you have the Admin Tools Pack for Windows Server 2003 installed on a Windows XP machine, you still don’t have a full set of administrative tools and capabilities for administering Windows Server 2003 machines, and until Service Pack 2 for XP comes out, this situation is not likely to be rectified. If you plan to roll out Windows Server 2003 immediately on your network, your best option is to use a Windows Server 2003 machine as your administrator console.

Of course, there are a couple of ways around this issue. You could use Remote Desktop to connect to your IIS machine and run IISReset as if you were at the machine’s local console. Or you could enable the Telnet Server service on your IIS machine and do the same using Telnet. We looked in detail at Remote Desktop in Chapter 5, so let’s look at Telnet now.

Using Telnet

Let’s walk through an example of using Telnet to run IISReset on a remote IIS machine, whose IP address we’ll assume is 172.16.11.215 and which belongs to a workgroup, not a domain. First, you must enable the Telnet Server service on the IIS machine, which by default is set to Disabled. To enable it, log on to the machine as Administrator and click Start | Administrative Tools | Services to open the Services console. Scroll down the right pane and double-click Telnet to open the properties sheet for the Telnet Server service (Figure 11-4).

Figure 11-4: Configuring the Telnet Server service

Change the Startup Type from Disabled to Automatic, click Apply, and then click Start to start the Telnet Server services on your machine. Once the service starts, close the properties sheet and verify the service is listed as running in the Services console.

Now go to another machine, open a command prompt, and start the Telnet client. The steps differ slightly depending on whether you are using Windows 2000, Windows XP, or Windows Server 2003 as your second machine; the following steps are for Windows Server 2003. To start the Telnet client on this platform, type telnet at the command prompt (Figure 11-5).

Figure 11-5: Starting the Telnet client on Windows Server 2003

After pressing ENTER, the Telnet client starts and runs in session mode (Figure 11-6). The Telnet client in Windows Server 2003 (and in Windows 2000 and Windows XP) has two modes of operation:

Figure 11-6: Telnet client running in session mode

• Session mode This mode allows you to open and close connections to remote hosts (Telnet servers), set terminal options, and close the Telnet client when you have finished with it.

• Command mode If you open a connection to a Telnet server while in session mode, the Telnet client automatically switches to command mode. In this mode, you can interactively run character-based applications on the remote host, which is what you want to do—you want to run IISReset on the remote IIS machine.

To display the possible Telnet commands you can use in session mode, type help (or h or ?). The open command is used to open a session, so type open 172.16.11.215 and press ENTER to try to open a session with the Telnet Server service on your IIS machine. The client responds by warning you that your password is being sent over an insecure communications channel and prompts you with Y/N for whether to continue. Press Y and then ENTER, and the client connects with the Telnet server on the IIS machine and switches from session to command mode. You are now looking at a command- prompt window running interactively on the remote machine (Figure 11-7).

Figure 11-7: Telnet client connected to an IIS machine and running in command mode

At this point, you can simply type iisreset, and the command will execute on the IIS server, causing it to restart. If you need to switch back to command mode to change the session options, press the escape character combination CTRL+], configure your options, and press ENTER to return to command mode. To leave command mode, type exit; to quit session mode and close your Telnet client, type quit.

There’s obviously a lot more to how Telnet is implemented on the Windows Server 2003 platform that we could talk about, but that’s all beyond the scope of this book. Consult any good book on general Windows Server 2003 administration for more information on this topic.

Telnet vs. Remote Desktop

Which is better for performing command-line administration of IIS 6, Telnet or Remote Desktop? Admins with a Unix background that are familiar with Telnet might prefer this tool instead of Remote Desktop, and an advantage of Telnet is that you can administer IIS from even a Unix or Linux machine. But security is an important issue regarding Telnet—if you enable the Telnet Server service on an IIS machine, you are potentially opening a door for malicious users to try to hack your system. Also, while a Telnet authentication session might be encrypted, all other data exchanged between Telnet clients and servers is passed unencrypted over your network, so if anyone is listening using a sniffer, they can follow all the details of your administration session. Remote Desktop by contrast is configured to encrypt all communication by default and is therefore more secure. So, while Telnet is a great idea in principle for remote administration of IIS 6 machines using the command line, in practice, you’ve got to be very careful if you plan on using it.

Running Scripts

Before I leave this topic of how to remotely run commands for administering IIS 6 machines, let’s talk about running scripts. So far you’ve seen how to remotely run a character-mode command like iisreset and that you can do this three ways:

• Run the command on a machine where the executable is present and using the name of the remote machine. For example, by typing iisreset servername while logged on as Administrator to another Windows Server 2003 machine.

• Run the command on the remote machine by using Remote Desktop.

• Run the command on the remote machine by using Telnet.

Is there any difference if you want to run a script on the remote machine instead? Let’s test this using the iisweb.vbs script, which I’ll discuss in more detail in the section “Managing Websites.” You’ll run this script on a remote machine to try to stop the Default Web Site on 172.16.11.215.

First, go to a different machine running Windows Server 2003, open a command- prompt window, and type the following command:

iisweb /stop "Default Web Site" /s 172.16.11.215

The syntax of this command says, “Use the iisweb.vbs script to stop the Default Web Site on the server named 172.16.11.215.” If a pop-up message appears saying, “This script does not work with Wscript,” click OK. A dialog box will then appear saying, “Would you like to register CScript as your default host for VBScript?”; click Yes. This will configure CSript.exe (which runs scripts as console-based processes) instead of WScript.exe (which runs them as Windows-based processes) as the default host for running scripts written using VBScript. These two utilities are part of the Windows Script Host (WSH) model used by Windows Server 2003 for running scripts. By default, scripts run using WScript, which assumes they have a GUI interface. You need to change that so you can run them from the command line. If you don’t make CScript your default host, you’ll have to type the following to stop the Default Web Site on the remote machine, which is a bit more work.

cscript.exe C:\Windows\System32\iisweb.vbs /stop "Default Web Site" /s 172.16.11.215 

Making CScript the default host for VBScripts simplifies typing your commands for administering IIS, so choose that route. Returning to the first command, enter it, and the script will use WMI to connect to your remote machine and stop the Default Web Site (Figure 11-8). After the script is finished, log on to the IIS machine, open IIS Manager, and verify the site is stopped.

Figure 11-8: Stopping a website on a remote machine using the iisweb.vbs script

Running Scripts with Telnet or Remote Desktop

If you’re going to use Telnet or Remote Desktop to run the script on the remote machine, the syntax is even easier:

iisweb /stop "Default Web Site"

This time you can leave out the name of the server on which to run the script because you are actually running the script interactively on the target machine. Couldn’t be easier!