Archives

Archives / 2011

  • Great SEO article

    No Comments

    I ran across a great SEO article via Twitter, the link is here

    http://www.seomoz.org/blog/what-every-seo-should-know-about-iis

    There was a comment I wanted to add a few ideas, I tried to format the comment, however it didn’t format to cleanly so I thought I’d add here.    Review the comments in the article too, there is some additional items that are worth mentioned.  I hope he picks up this post and adds the couple links for reference.

    Couple other things to reference to this great article. Here are three commands I run on all servers. I use the compression level 9 on a very high volume with no impact, Here is another article on other properties and http://learn.iis.net/page.aspx/206/dynamic-compression/

    Scott Forsyth wrote an article on compress level and performance which is a good read. http://weblogs.asp.net/owscott/archive/2009/02/22/iis-7-compression-good-bad-how-much.aspx

    Enables

    c:\windows\system32\inetsrv\appcmd set config /section:urlCompression /doDynamicCompression:true

    Sets the compression level
    c:\windows\system32\inetsrv\appcmd set config /section:system.webServer/httpCompression -[name="'gzip'"].dynamicCompressionLevel:9"Mkdir D:\Data\IISTemporaryCompressedFiles"

    Sets the directory path
    c:\windows\system32\inetsrv\appcmd set config /section:httpCompression /directory:D:\Data\IISTemporaryCompressedFiles /maxDiskSpaceUsage:100 /minFileSizeForComp:256"

    Hope this helps

    Read more...

  • Hosting PERL on IIS 7.x thread

    No Comments

    Every now and then, a thread will get my interest doing something different with IIS on http://forums.iis.net.  I’ve never setup PERL within IIS even though I knew it was possible to host PERL.  I figured what the heck, lets see if I can get it working even though I don’t really know how to program in PERL.  The post is asking how to secure PERL in a shared hosting model.

    Forum thread on securing PERL.  As of this post, no one has responded who has secured PERL for shared hosting.  I’ve asked a couple questions for my own interest.  If you know, feel free to respond with more information.  I’d be interested.

    http://forums.iis.net/p/1179875/1988997.aspx

    Read more...

  • Web Stress testing tools thread

    No Comments

    Here is a thread on http://forums.iis.net that discusses Stress testing tools.  There is a wide variety tools available.  I personally use a powershell script to create a single log file, then load test with Web Application Stress tool (retired by Microsoft). For my personal needs this has been sufficient.  I thought I would pass along as an FYI.

    Read more...

  • IIS 7 / IUSR account, SCCM 2007 client, Status messages not working

    No Comments

    Background

    This is one of those posts that has been “years in the making”. I’ve been working with SMS / ConfigMgr 2007 since version 2.0. In my IT career, I’ve used SMS / ConfigMgr 2007 on the server side exclusively. Traditionally SMS / ConfigMgr has been mainly a desktop software deployment, management tool. I’ve never talked with anyone who has used ConfigMgr strictly “ in a Server environment” for other things besides patching, OSD. Using ConfigMgr for DCM, Software Distribution, Querying, reporting etc.

    Problem

    I recently came across a situation where I was getting inconsistent status messages being sent back to the site server. Here is the message Failed to submit event to the Status Agent. Attempting to create pending event. For those familiar with ConfigMgr, all components send their status messages through the StatusAgent component. Advertisements, task sequences would work. the status messages would not be updated however.

    Side Bar
    Introduced in IIS 7 was the ability to set the Anonymous Authentication module to inherit from the application pool identity automatically. Here is a screenshot of the setting.

    \

    In previous IIS versions, the IUSR account was a local account with it’s own SID (Security Identifier). The administrator had to be aware of this account along with the application pool account (App pools started in Windows 2003/IIS 6). The IUSR account was introduced in Windows Server 2008 as a ‘machine’ account with the same SID across all boxes. In IIS 6, I would set the IUSR_MachineName and application pool identity accounts the same. Although I was administering two locations, it made troubleshooting a lot easier only dealing with one account.  When Windows Server 2008 came out and provided the ability to inherit the application pool identity automatically, from an IIS Administrators perspective, I quickly adopted this architecture.  PS – I’m not 100% sure why inheriting Application Pool Identity isn’t the default setting, I once heard it was to support Classic ASP applications.  Not sure.

    Back to ConfigMgr 2007

    From an IIS perspective, administrators may implement this type of architecture (I did!). What I discovered, the IUSR setting at server level is required if a machine has IIS installed. What I did to prove the ConfigMgr client was checking for the existing of the IUSR account.

    Here is the status messages that appeared in the logs. Notice the highlighted sections, and the function being called.

    ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time="00:14:21.853+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1484">
    ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time="00:14:21.853+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1559">
    ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time="00:14:21.862+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1484">
    ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time="00:14:21.862+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1559">
    ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time="00:14:22.678+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="13344" file="perfobject.cpp:1484">
    ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time="00:14:22.680+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="13344" file="perfobject.cpp:1559">
    StatusAgent.log:<![LOG[Security::LookupIUSRAccountSid(sAccount), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\core\ccmcore\comobjectsecurity.cpp,58)]LOG]!><time="00:14:58.883+240" date="01-09-2011" component="StatusAgent" context="" type="0" thread="11300" file="comobjectsecurity.cpp:58">

    As I mentioned earlier, I work strictly in a server environment, which many boxes have IIS installed (Mostly Windows Server 2008 / R2 boxes). For some reason Microsoft has logic in SCCM to check for the existence of the IUSR account. Here is a post I did “IUSR Account and ConfigMgr 2007 R3 agent”. This explains I temporarily had to set the IUSR account enabled at server level so the ConfigMgr agent would install.

    A configuration workaround

    The ConfigMgr agent doesn’t seem to check for IUSR at site level. This means an administrator who has ConfigMgr installed on a server OS with IIS can enable the IUSR setting at server level, and set the inherit application pool identity at site level. From my testing, this configuration works. I did a PowerShell script to:

    • Backup current applicationHost.config with appcmd
    • Enable IUSR at server level
    • Disable IUSR and inherit application pool identity.
    • Stop / Start SMS Agent Host
    • Watch the SCCM logs

    A little precaution before running the script. The logic assumes you are using the application pool identity for securing resources. I’d recommend you review your IIS architecture to ensure this setup would work in your environment. I ALWAYS encourage people to try scripts in a non-production environment first. The script does make a backup copy of the applicationHost.config before making changes. If something happens, just restore the applicationHost.config.

    After years of not quite understanding how IUSR was used. I thank God for helping me finally understand what is happening! I hope you find this post useful. Hope this workaround isn’t needed in CM2012. Time will tell.

    Thank you,

    Steve Schofield
    Windows Server MVP - IIS
    http://www.iislogs.com/steveschofield

    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

    Questions on Microsoft SMTP Service - visit http://www.smtp.ws
    IIS Community Newsletter - visit http://www.iisnewsletter.com

    Here is the script.

    $ExitCode = 0
    try
    {
    function EnableIUSRServerLevel
    {
    $Command = "$Env:SystemRoot\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/authentication/anonymousAuthentication /userName:`"IUSR`" /commit:apphost"
    Write-Host $Command
    Invoke-Expression -Command $Command
    }

    function DisableIUSRSiteLevel([string]$SiteName)
    {
    $Command = "$Env:SystemRoot\system32\inetsrv\appcmd.exe set config `"$SiteName`" /section:system.webServer/security/authentication/anonymousAuthentication /userName:`"`" /commit:apphost"
    Write-Host $Command
    Invoke-Expression -Command $Command
    }

    #Use Powershell provider to get a list of sites, one of these will error
    #windows Server 2008 needs powershell provider installed before using
    #Windows Server 2008 R2 has powershll provider already
    #There is some better logic that could be implemented on this option

    Import-Module -Name "WebAdministration"
    Add-PSSnapin -Name "WebAdministration"
    #Backup ApplicationHostConfig
    $FileDate = (Get-Date).tostring('dd-mm-yyyy-mm-hh')
    $Command = "$Env:SystemRoot\system32\inetsrv\appcmd.exe add backup `"BeforeSettingIUSRData$FileDate`""

    Write-Host $Command
    Write-Host "applicationHost.config backed up"
    Invoke-Expression -Command $Command

    #Set IUSR at server level
    Write-Host "Set IUSR at server level enabled"
    EnableIUSRServerLevel

    #Get List of Sites using get-childitem
    $sites = gci IIS:\Sites

    #Set Each site on the box with IUSR disabled
    foreach($site in $sites)
    {
    Write-Host $site.name
    Write-Host ""
    DisableIUSRSiteLevel -SiteName $site.name
    }

    Write-Host "Done"
    }
    catch
    {
    $ExitCode = 1
    Write-Host "error"
    }

    Read more...

  • IISLogs.com upgraded to Orchard 1.2

    No Comments

    I’m excited to announce IISLogs (and my blog) upgraded to Orchard 1.2.   The upgrade process wasn’t too painful, I’d suggest using WinMerge to compare folders, files.  This came in handy when comparing my Modules and Themes folders.  One thing I found extremely useful detecting errors was using the IIS SEO Toolkit to scour my site looking for errors.

    Read more...

  • Blogs has officially moved. Please update your links

    No Comments

    After 7 1/2 years, my blog and all content has been moved to my own domain!  I’ve worked with the admins who run http://weblogs.asp.net to implement a 301 redirect.  Old links should redirect to the corresponding link on my new blog.  It’s been quite an adventure.  Check out the post related to standing up Orchard, here is the link  I’ve been really impressed with the performance of Orchard. I’ve been testing a VPS at GoDaddy (1 proc, 2 GB, 30 GB of ram) for $40 / per month.  So far so good. Stay tuned on this, more updates to come. 

    Read more...

  • Handy date format reference

    No Comments

    I was formatting various powershell formatting. Here is a handy date time format. http://technet.microsoft.com/en-us/library/ee692801.aspx

    Read more...

  • Adventure setting up Orchard with my site and blog.

    No Comments

    I’ve been blogging for years, mainly with community server.  I’ve had a desire to switch my blog over to my own domain, which currently is www.iislogs.com (the domain which sells IIS Logs program).   I selected Orchard as it seemed different, fresh and challenging.  Plus it was built on top of the MVC framework, has an up and coming community.   I came from the days when I tried to be a web developer using Classic ASP and lets say Classic ASP.NET.   Enough reflecting Smile 

    Read more...

  • Read a file add to load testing file

    No Comments

    I used this script to read a few months worth of my IIS logs to create a single log file.  I used the single file for load testing with Web Application Stress tool. 

    Read more...

  • Sharepoint 2010, People Picker (peoplepicker-searchadforests), 1 way Active Directory trust .... process monitor to the rescue!

    No Comments

    If you run Sharepoint 2010 in one forest, users in another forest and a 1-way forest in-place.  There is some additional configuration needed in Sharepoint 2010.  I included links below that discuss the details.  My post is not to be in-depth how to setup, rather share a tidbit not discussed in documentation (not that I could find).  Thanks to a smart co-worker and process monitor, it was found there is a registry entry, the application pool needs READ access.  You can either manually grant permissions on the server or add registry permission in AD Group Policy.  Hope this helps.

    Read more...

  • www.IISJobs.com has been launched.

    No Comments

    Looking for a job related to Microsoft (Internet Information Server)? Or do you have a job opening which requires IIS experience.  Look no further, subscribe to the discussion forum today at http://www.iisjobs.com and be notified as soon as a job is posted or someone responds.

    Read more...

  • IIS Logs unattended installation example / unattended packaging info

    No Comments

    I've been doing some packaging of software within SCCM recently.  As I'm rediscovering, each software package has it's own trick to get an unattended installation working.  One usueful trick I found with MSI's is use the /l* logname.log when installing from the command line.  After the installation has completed, you can open the log file and look for the variables that can be set. 

    Read more...

  • Webfarm and IIS configuration tips/tricks

    No Comments

    I was recently talking with some good friends about tips for performance and what an IIS Administrator could do on the server side.  I also see this question from time to time in the forums @ http://forums.iis.net.    Of course, you should test individual settings in a controlled environment while performing load testing before just implementing on your production farm. 

    Read more...