Microsoft Windows Server 2003 Deployment Kit—Deploying Microsoft Internet Information Services (IIS) 6.0 [Electronic resources] نسخه متنی

Converting to Worker Process Isolation Mode

When the upgrade process is complete, IIS 6.0 is configured to run in IIS 5.0 isolation mode. Although IIS 5.0 isolation mode provides compatibility with existing applications, it is unable to provide all the security, availability, and performance improvements in worker process isolation mode. To take full advantage of these improvements, you must configure IIS 6.0 to run in worker process isolation mode.

After upgrade, most Web sites and applications function in worker process isolation mode without modification. IIS can run in only one application isolation mode at a time — either IIS 5.0 isolation mode or worker process isolation mode. As a result, configuring IIS to run in worker process isolation mode affects all of the Web sites and applications hosted by IIS. Therefore, before configuring IIS to run in worker process isolation mode, you must determine whether your applications are compatible with this isolation mode. If the existing Web sites and applications are not compatible with worker process isolation mode, you can continue to "Configuring IIS for ASP.NET Applications" later in this chapter.

Figure 5.4 illustrates the process for converting the Web server to worker process isolation mode.

Figure 5.4: Converting to Worker Process Isolation Mode

For more information about worker process isolation mode and IIS 5.0 isolation mode, see "Determining Application Compatibility with Worker Process Isolation Mode" earlier in this chapter.

Documenting the Current Application Isolation Settings

Before you configure IIS 6.0 to run in worker process isolation mode, document the existing application isolation settings of the Web sites and applications that are hosted by IIS. Later in the upgrade process, you will use this baseline configuration for configuring the application isolation mode for your Web sites and applications.

For each Web site and application currently running on the server, document the following:

Application isolation settings

Earlier versions of IIS can host Web sites and applications in pooled or isolated process configurations. For information about how to view the current application isolation mode, see "View Application Isolation Configuration" in "IIS Deployment Procedures" in this book.

If you are running IIS 4.0 on Windows NT Server 4.0, your applications are isolated in one of the following ways:

In-process (running in-process with Inetinfo.exe)

Isolated (running under Microsoft Transaction Server [MTS])

If you are running IIS 5.0 on Windows 2000, your applications are isolated in one of the following ways:

In-process (running in-process with Inetinfo.exe)

Pooled (running in a pooled COM+ package)

Isolated (running in an isolated COM+ package)

Process identity that is used by the Web site or application

Each Web site or application configured in high isolation, or pooled isolation, uses an identity. An identity is a user account that provides a security context for worker process servicing the Web site or application. The identity can be used to secure content, by using NTFS permissions, or data, such as data stored in Microsoft SQL Server™. For more information about how to view the identity for each Web site or application, see "View Web Site and Application Process Identities" in "IIS Deployment Procedures" in this book.

Configuring IIS 6.0 to Run in Worker Process Isolation Mode

As previously mentioned, configuring the IIS application isolation mode is a Web server-wide configuration setting that affects all Web sites and applications running on the Web server. The server is currently configured in IIS 5.0 isolation mode.

If you determined that one or more of your Web sites or applications are incompatible with worker process isolation mode, leave the Web server in IIS 5.0 isolation mode. Otherwise, configure IIS 6.0 to run in worker process isolation mode either in IIS Manager, or by setting the IIS metabase property IIs5IsolationModeEnabled to a value of False.

For more information about how to configure IIS to run in worker process isolation mode or in IIS 5.0 isolation mode, see "Configure Application Isolation Modes" in "IIS Deployment Procedures" in this book. For more information about determining compatibility with worker process isolation mode, see "Evaluating Application Changes Required for Worker Process Isolation Mode" earlier in this chapter.

Configuring Application Isolation Settings in Worker Process Isolation Mode

Immediately after configuring IIS to run in worker process isolation mode, you need to configure the application isolation settings to closely approximate their configuration in IIS 5.0 isolation mode by assigning them to application pools. An application pool is a grouping of one or more Web sites or applications served by one or more worker processes. You might need to apply additional configurations so that the applications retain their original isolation settings.

After converting to worker process isolation mode, all applications run in the pre-existing application pool named "DefaultAppPool." If all of the applications run in the same process in the previous version of IIS, then they all are assigned to the default application pool.

However, if any one of the applications in the same application pool fails, the other applications can be adversely affected. For this reason it is recommended that you isolate your applications into separate application pools whenever possible.

Configure Web sites and applications to run in their own application pool by completing the following steps:

For each Web site or application configured in High isolation in IIS 5.0

Create a new application pool to be used by the Web site or application.

For information about how to create application pools, see "Isolate Applications in Worker Process Isolation Mode" in "IIS Deployment Procedures" in this book.

If the Web site or application previously ran under an identity that is still required by the Web site or application, configure the application pool to use that same identity.

For information about how to configure the identity for an application pool, see "Configure Application Pool Identity" in "IIS Deployment Procedures" in this book.

Assign the Web site or application to the new application pool.

For information about how to assign the Web site to the new application pool, see "Isolate Applications in Worker Process Isolation Mode" in "IIS Deployment Procedures" in this book.

For each Web site or application configured in Low or Medium isolation in IIS 5.0

In earlier versions of IIS, applications ran in-process as DLLs in Inetinfo.exe (Low isolation) and the default process identity (account the application runs as) was LocalSystem. With worker process isolation mode in IIS 6.0, applications never run in Inetinfo.exe. However, any applications that are not explicitly assigned to an application pool are assigned to the default application pool, which runs under the NetworkService process identity by default. Because LocalSystem has an elevated security context, run Web sites and applications under the security context of the NetworkService account.

For each Web site or application that ran in Low or Medium isolation in IIS 5.0, do one of the following:

When the Web site or application is able to function under the identity of the NetworkService account in the default application pool, continue to host the Web sites or applications in the default application pool, named "DefaultAppPool."

When the Web site or application is unable to function under the identity of the NetworkService account in the default application pool, perform the following steps:

Create a new application pool.

Create a service account to be used as the identity for the application pool.

For more information about how to create a service account to be used as an identity for an application pool, see "Create a Service Account" in "IIS Deployment Procedures" in this book.

Configure the application pool identity to use the service account.

For more information about how to configure the identity for an application pool, see "Configure Application Pool Identity" in "IIS Deployment Procedures" in this book.

Place the Web site or application in the new application pool.

Example: Converting to Worker Process Isolation Mode

A fictitious organization, Contoso, has an existing IIS 5.0 Web server that hosts four Web applications. The administrator plans to upgrade the Web server to IIS 6.0, and has tested the applications for compatibility with IIS 6.0 worker process isolation mode and Windows Server 2003. Table 5.4 lists the existing configuration of the Web applications before upgrading to IIS 6.0.

After the upgrade, the administrator verified that the Web applications continued to run properly in IIS 5.0 isolation mode. Then the administrator configured IIS 6.0 to run in worker process isolation mode. Table 5.5 lists the configuration of the Web applications immediately after configuring IIS to run in worker process isolation mode.

To approximate the original configuration of the Web applications in worker process isolation mode, the administrator does the following:

Creates a new application pool for each application that was configured for isolation.

Configures each application pool with the identity assigned previously to the application configured for isolation.

Ensures that the identity assigned to each newly created application pool is added to the IIS_WPG local user group.

Assigns each application to the corresponding application pool.

Continues hosting all other applications in the default application pool.

Verifies that the applications in the default application pool properly run under the NetworkService account identity.