|
|
Now that I’ve covered the types of commands and ways of running them, I’ll discuss in detail how to use each command for remotely administering IIS 6 machines. I’ll start with the general task of administering services essential to running IIS.
As discussed previously, IISReset is your first line of defense for recovering and maintaining buggy applications that application pool recycling fails to protect against. As you’ve seen, in its simplest usage, typing iisreset at the command line on a console session causes all IIS services on the local machine to stop and then start. Exactly the same thing can be done using the GUI by right-clicking the IIS server node in IIS Manager and selecting All Tasks | Restart IIS (in fact, the GUI method uses IISReset to accomplish this task). Note that neither of these approaches cause the HTTP Listener (http.sys) to restart, and neither do they affect any non-IIS Internet services running on the machine, such as the POP3 mail service. As I mentioned previously, IISReset should be a last ditch option only, because stopping IIS terminates any existing connections from Internet clients, causing users frustration and possible data loss. Also, unless you save your configuration to disk first, using IISReset to restart IIS may result in recent metabase changes being lost. Nevertheless, and particularly in a development environment, IISReset is a common method for recovering resource-leaking ASP applications and preventing “accumulated instability” from bringing down your machine.
You can do more with IISReset than just restart IIS. Let’s take a look at the various options for running this command and try each one out. For simplicity, run this command on the IIS machine itself, although most of the options (with an exception I’ll shortly discuss) work from a remote machine also, as long as you include the name or IP address of your target IIS machine in the command syntax.
First of all, the /status switch displays which IIS services are currently running on the machine:
C:\>iisreset /status Status for World Wide Web Publishing Service ( W3SVC ) : Running Status for FTP Publishing Service ( MSFtpsvc ) : Running Status for HTTP SSL ( HTTPFilter ) : Running
This tells you that the WWW and FTP services are running on the machine, along with HTTP Filter, a user-mode process used to implement SSL encryption on IIS. This HTTP Filter component is hosted within the lsass.exe process when IIS is configured to run in worker process isolation mode, and within the inetinfo.exe process when IIS is running in IIS 5 isolation mode. You can verify that these services are running by opening Services in Administrative Tools. By examining the Dependencies tab of each service, you can discover what other services they depend on and what services depend on them (Figure 11-9). For example, all three of the services displayed in the previous command-line session depend upon the IISAdmin service, which the iisreset /status command does not display as running. The WWW service also depends on the HTTP SSL service, which is the name displayed in the Services console for the HTTP Filter component.
Figure 11-9: IIS service dependencies
If you want to simply stop all IIS services as opposed to restarting (stopping and then starting) them, use the /stop switch:
C:\>iisreset /stop Attempting stop... Internet services successfully stopped
Now if you check the status of IIS you can verify that the services have been stopped:
C:\>iisreset /status Status for World Wide Web Publishing Service ( W3SVC ) : Stopped Status for FTP Publishing Service ( MSFtpsvc ) : Stopped Status for HTTP SSL ( HTTPFilter ) : Stopped
To start the stopped services, use the /start switch:
C:\>iisreset /start Attempting start... Internet services successfully started
Of course, you can verify that the services have started using /status as before. An issue to consider is what happens if it takes a long time for IIS services to stop gracefully (as opposed to terminate abruptly with possible data loss)? By default, iisreset /stop waits 60 seconds for services to stop gracefully. If they fail to do so, it assumes there is a problem with the server and forces the services to stop abruptly, while iisreset /restart waits only 20 seconds before forcing termination of services. You can modify this process two ways:
Use the /timeout:val switch to explicitly specify how long in seconds the command should wait before stopping or restarting services.
Use the /noforce switch to indicate that if services cannot be gracefully shut down, then the command should abort.
Another administrative action you can perform with IISReset is to reboot your IIS machine using the /reboot switch (Figure 11-10). This gives you 20 seconds before the server automatically reboots.
Figure 11-10: Rebooting an IIS machine using iisreset /reboot
You can also use the /rebootonerror switch to force a reboot to occur if an error occurs when you try to start, stop, or restart IIS services. For example, the command
iisreset /stop /rebootonerror /timeout:1
will give the command one second to try to stop IIS services, which is not enough time, so an error condition is generated and /rebootonerror forces a reboot.
Finally, a concern you might have as an administrator is what if someone else uses IISReset remotely to stop services on your IIS machine? How can you prevent them from doing this? Of course, that individual would need Administrator credentials to accomplish this, but credentials can be stolen, so Microsoft added another switch to IISReset called /disable that disables restarting of IIS services on the local system:
C:\>iisreset /disable Access to IIS restart API disabled to this computer C:\>iisreset /restart Attempting stop... Restart attempt failed. Restarting of Internet Services has been disabled.
They also provided another switch that you can use to enable the command if it’s disabled:
C:\>iisreset /enable Restarting of Internet Services has been enabled.
How does that make things more secure? Couldn’t an attacker simply enable the command if they found it disabled on a machine? The key is that the /disable and /enable switches only work if you run them interactively (locally) on the IIS machine. For example, if you run iisreset /disable on an IIS machine 172.16.11.215 and then try to stop the services from a remote machine, the command fails to stop the services:
C:\>iisreset 172.16.11.215 /stop Attempting stop... Stop attempt failed. Restarting of Internet Services has been disabled.
Note | If you run iisreset computername /disable from a remote machine to disable services on an IIS machine named computername, the response says that “Restarting of Internet services has been disabled,” but this is not correct—try iisreset computername /restart next and you’ll see that it works! |
Another useful approach you can take to administering IIS services with IISReset is to schedule operation of this command using the Task Scheduler of Windows Server 2003. For example, to schedule IIS to restart according to a predefined schedule or interval of time, follow these steps:
Click Start | Settings, open Control Panel, select Scheduled Tasks, and choose Add Scheduled Task.
Click Next to run the Scheduled Task Wizard and be presented with a list of common Windows programs whose operation you might wish to schedule.
Because IISReset is not in the displayed list of programs, click Browse, navigate to the \Windows\System32 folder, and double-click IISReset.exe to select it (Figure 11-11).
Figure 11-11: Scheduling IISReset to run using Task Scheduler.
Type a friendly name for the task (“iisreset” is suggested), select a schedule condition, and click Next.
Specify the Administrator credentials for running the command and click Next.
Select the check box to further configure advanced properties for the task and click Finish.
On the Task tab of the properties sheet for the task, in the Run box, add any optional switches you require at the end of the command string and click OK.
To test this out, try creating a scheduled task that will stop IIS services the next time you log on to your IIS machine. Then log off and log on again and open IIS Manager. You should see the Web Sites and FTP Sites disabled with red circles containing an X. If this is not the case, make sure you didn’t run iisreset /disable previously on the machine!
Tip | You can also schedule tasks from the command line using the new Schtasks.exe command of Windows Server 2003, which replaces the At.exe command of earlier versions (though it’s still present for down-level compatibility reasons). To find out more about Schtasks.exe, open the Help and Support Center on your Windows Server 2003 machine. |
You can also stop, start, and pause other IIS services using the net commands, part of the general Windows commands on Windows Server 2003. For example, to stop only the WWW service but leave the IIS Admin service running, use net stop as follows:
C:\>net stop w3svc The World Wide Web Publishing Service service is stopping. The World Wide Web Publishing Service service was stopped successfully.
Now if you open IIS Manager, you’ll see a red circle with an X on it over the Web Sites node, indicating that all websites on the machine are stopped (Figure 11-12).
Figure 11-12: The WWW Service is stopped.
To restart the WWW Service, use net start:
C:\>net start w3svc The World Wide Web Publishing Service service is starting. The World Wide Web Publishing Service service was started successfully.
Table 11-1 shows the service name you need to use when you want to stop, start, or pause IIS services using net commands.
Service | Name for net Commands |
---|---|
IIS Admin service | iisadmin |
WWW service | w3svc |
FTP service | msftpsvc |
SMTP service | smtpsvc |
NNTP service | nntpsvc |
Note that if you try to stop the IIS Admin service, you will be prompted whether to continue because it stops dependent services like WWW and FTP as well:
C:\>net stop iisadmin The following services are dependent on the IIS Admin Service service. Stopping the IIS Admin Service service will also stop these services. World Wide Web Publishing Service FTP Publishing Service HTTP SSL Do you want to continue this operation? (Y/N) [N]: y The World Wide Web Publishing Service service is stopping. The World Wide Web Publishing Service service was stopped successfully. The FTP Publishing Service service is stopping. The FTP Publishing Service service was stopped successfully. The HTTP SSL service is stopping. The HTTP SSL service was stopped successfully. The IIS Admin Service service is stopping. The IIS Admin Service service was stopped successfully.
If you want to stop the IIS Admin service without having to respond to the prompt, use this:
net stop /y iisadmin
Unfortunately, restarting IIS Admin using net start iisadmin only starts the IIS Admin service alone and doesn’t start dependent services like WWW or FTP. To restart all the IIS services, use iisreset /start. You can verify that this worked with iisreset /status.
|
|