Microsoft Windows Server 2003 Deployment Kit—Deploying Microsoft Internet Information Services (IIS) 6.0 [Electronic resources] نسخه متنی

Migrating Web Sites Manually

Earlier in the process, you decided whether to migrate your Web sites with the IIS 6.0 Migration Tool or to migrate them manually. If you are unable to use the migration tool, you must migrate manually, or use existing provisioning or setup scripts. For more information about how to determine whether you can perform the migration with the IIS 6.0 Migration Tool, see "Selecting a Migration Method" earlier in this chapter.

When there are provisioning or setup scripts for your Web sites and applications, use these scripts to install the Web sites and applications on the target server. These scripts might require modification to be compatible with worker process isolation mode, which is discussed in "Evaluating Application Changes Required for Worker Process Isolation Mode" earlier in this chapter.

Because the scripts install and configure the Web sites and applications, no migration is required. In this case, run the scripts to install and configure the Web sites and applications and then proceed to "Configuring IIS 6.0 Properties" later in this chapter to continue with the process.

Figure 6.6 illustrates the process migrating Web sites manually to IIS 6.0.

Figure 6.6: Performing a Manual Migration to IIS 6.0

Verifying That Clients Are Not Accessing Web Sites Before a Manual Migration

Before migrating your existing Web sites and applications, ensure that no active client sessions are running. For more information about verifying that clients are not accessing Web sites, see "Verifying That Clients Are Not Accessing Web Sites" earlier in this chapter.

Creating Web Sites and Virtual Directories

For each Web site and virtual directory on the source server, you must create a corresponding Web site and virtual directory on the target server. Later in the migration process, you will copy the content into these Web sites and virtual directories.

Create the Web sites and virtual directories by completing the following steps:

Create the Web sites and home directories on the target server.

Create the virtual directories.

Creating Web Sites and Home Directories on the Target Server

Each Web site must have one home directory. The home directory is the central location for your published pages. It contains a home page or index file that welcomes visitors and contains links to other pages in your site. The home directory is mapped to the Web site's domain name or to the name of the Web server.

Create a Web site and home directory on the target server by completing the following steps:

Create the folder that will be the home directory for the Web site on the target server.

The folder that is the home directory of the Web site contains all of the content and subdirectories for the Web site. The folder can be created on the Web server or on a UNC-shared folder on a separate server. At a minimum, create the folder on the following:

An NTFS partition, which helps ensure proper security.

A disk volume other than the system volume, which reduces the potential of an attack on a Web site bringing down the entire Web server, and improves performance.

For more information about securing Web sites and applications see "Securing Web Sites and Applications" in this book. For more information about creating directories for your Web sites see "Create a Web Site" in "IIS Deployment Procedures" in this book.

Determine whether to generate the Web site identification number incrementally, or from the Web site name.

Although site identification numbers were generated incrementally in IIS 5.1 and earlier, when you create a new site on IIS 6.0, a Web site identification number is randomly generated by using the name of the Web site. If you have administration scripts, setup programs, or provisioning scripts that depend upon the IIS 5.1 method of generating site identification numbers, you can force IIS 6.0 to use incremental site identification numbers by creating the IncrementalSiteIDCreation registry entry in the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetMgr\Parameters with the data type REG_DWORD and the value set to 0x1.

For more information about configuring the Web site identification number see "Configure the Web Site Identification Number" in "IIS Deployment Procedures" in this book.

Create the Web site on the target server.

Configure the Web site to have the same configuration as the corresponding Web site on the source server. For more information about how to create a Web site, see "Create a Web Site" in "IIS Deployment Procedures" in this book.

If the Web site on the source server is FrontPage extended, then configure the Web site on the target server to be FrontPage extended.

For more information about how to configure a Web site to be FrontPage extended see "Configure a Web Site to be FrontPage Extended" in "IIS Deployment Procedures" in this book.

Creating Virtual Directories

For each virtual directory within each Web site on the source server, you must create a corresponding virtual directory on the target server. A virtual directory is a folder name, used in an address, which corresponds to a physical directory on the Web server or a Universal Naming Convention (UNC) location. This is also sometimes referred to as URL mapping. Virtual directories are used to publish Web content from any folder not located in the home directory of the Web site. When clients access content in a virtual directory, the content appears to be in a subdirectory of the home directory even though it is not.

For security reasons, you might want to move the Web site content to a different disk volume during the migration process. You can move the content to another disk volume on the target server or to a shared folder on a separate server. You can use virtual directories to specify the UNC name for the location where the content is placed, and provide a user name and password for access rights.

For each virtual directory in each Web site on the source server, create a corresponding virtual directory on the target server by completing the following steps:

Create the folder on the target server to contain the virtual directory content.

Create the folder in the same location on the target server unless you are placing the content on a different disk volume than the source server or you are using a UNC share to store the content. Ensure that you create the folder in a secure manner that does not compromise the security of the target server.

For more information about securing virtual directories, see "Preventing Unauthorized Access to Web Sites and Applications" in "Securing Web Sites and Applications" in this book.

Create the virtual directory under the appropriate Web site on the target server. For more information about how to create virtual directories, see "Create a Virtual Directory" in "IIS Deployment Procedures" in this book.

Migrating Web Site Content

For each Web site and virtual directory on the source server, you must migrate the content to the corresponding Web site and virtual directory on the target server. You can migrate the content from the source server to the target server by using one of the following methods:

Run the Xcopy command to migrate Web site content to the target server on an intranet or internal network.

Use Windows Explorer to migrate Web site content to the target server on an intranet or internal network.

Use the Copy Project command in Microsoft Visual Studio .NET to migrate Web site content to the target server on an intranet or internal network, if the application has been developed by using Visual Studio .NET.

Use the Publish Web command in FrontPage to migrate Web site content to the target server on an intranet or over the Internet, if the Web site has been developed using FrontPage.

For more information about how to publish Web site content on the target server by using FrontPage, see "Publish Web Site Content with FrontPage" in "IIS Deployment Procedures" in this book.

Configuring Web Site Application Isolation Settings

Based on the application isolation mode settings of the target server, you need to configure the application isolation settings for each migrated Web site. Configure the Web site application isolation settings so that the Web sites provide the highest possible security and availability.

Configure the Web site applications isolation settings by completing the following steps for each Web site on the source server:

Document the current application isolation settings for each Web site on the source server.

When the target server is configured for IIS 5.0 isolation mode, configure the target server to use the same the isolation settings as the source server.

When the target server is configured for worker process isolation mode, convert the isolation settings on the source server to application pool settings on target server.

Documenting the Current Application Isolation Settings on the Source Server

Before you configure the application isolation settings, document the existing application isolation settings of the Web sites and applications that are hosted on the source server. Later in the migration process, you will use these settings for configuring the application isolation mode for your Web sites and applications.

For each Web site and application currently running on the server, document the following:

Application isolation settings

Earlier versions of IIS can host Web sites and applications in pooled or isolated process configurations. For information about how to view the current application isolation mode, see "View Application Isolation Configuration" in "IIS Deployment Procedures" in this book.

If you are running IIS 4.0 on Windows NT Server 4.0, your applications are isolated in one of the following ways:

In-process (running in-process with Inetinfo.exe)

Isolated (running under MTS)

If you are running IIS 5.0 on Windows 2000, your applications are isolated in one of the following ways:

In-process (running in-process with Inetinfo.exe)

Pooled (running in the pooled COM+ application)

Isolated (running in an isolated COM+ application)

Process identity that is used by the Web site or application

Each Web site or application configured in High isolation, or pooled isolation, uses a configurable identity. An identity is a user account that provides a security context for worker process servicing the Web site or application. The identity can be used to secure content, by using NTFS permissions or data, such as data stored in Microsoft SQL Server™. For more information about how to view the identity for each Web site or application, see "View Web Site and Application Process Identities" in "IIS Deployment Procedures" in this book.

Configuring Application Isolation Settings in IIS 5.0 Isolation Mode

When the target Web server is configured to run in IIS 5.0 isolation mode, configure the application isolation settings on the target server identically to the settings on the source server. Web sites and applications on a Web server running in IIS 5.0 isolation mode can be configured with the following application isolation settings:

Low (in-process).

Medium (pooled).

Low (isolated).

If the identity on the source server is an account local to the source server, you need to create a service account.

Configure the application isolation settings when IIS 6.0 is configured to run in IIS 5.0 isolation mode by completing the following steps:

Review the application isolation settings on the source server, documented earlier in the migration process.

For more information about how the application isolation settings were documented, see "Documenting the Current Application Isolation Settings on the Source Server" earlier in this chapter.

Create any required local service accounts used for application isolation identities on the target server.

When the application pool identity is a service account that is local to the source server, you need to create a new service account, or designate an existing service account, on the target server. Create the service account in Active Directory to:

Provide centralized administration of the account.

Provide stronger security because the account is stored in Active Directory rather than locally on the Web server.

Allow more than one Web server (for instance, in a Web farm) to use the same service account for the same instance of the application pool on other Web servers.

For more information about how to create a service account to be used as an identity, see "Create a Service Account" in "IIS Deployment Procedures" in this book.

Configure the application isolation settings for the Web sites on the target server to be identical to the settings in Step 1.

For more information about how to configure the application isolation settings for a Web site, see "Configure Application Isolation Settings for IIS 5.0 Isolation Mode" in "IIS Deployment Procedures" in this book.

Configure the application process identities for the Web sites on the target server to be identical to the settings in Step 1.

For more information about how to configure the application process identities for the Web site, see "Configure Application Identity for IIS 5.0 Isolation Mode" in "IIS Deployment Procedures" in this book.

Configuring Application Isolation Settings in Worker Process Isolation Mode

When the target server is configured to use worker process isolation mode, you need to configure the application isolation settings to closely approximate their configuration in IIS 5.0 isolation mode by assigning them to application pools. An application pool is a grouping of one or more Web sites or applications served by one or more worker processes. You might need to apply additional configurations so that the applications retain their original isolation settings.

After converting to worker process isolation mode, all applications run in the preexisting application pool named "DefaultAppPool." If all of the applications run in the same process in the previous version of IIS, then they all are assigned to the default application pool.

However, if any one of the applications in the same application pool fails, the other applications can be adversely affected. For this reason it is recommended that you isolate your applications into separate application pools whenever possible.

Configure Web sites and applications to run in their own application pool by completing the following steps:

For each Web site or application configured in High isolation in IIS 5.0

Create a new application pool to be used by the Web site or application.

For information about how to create application pools, see "Isolate Applications in Worker Process Isolation Mode" in "IIS Deployment Procedures" in this book.

If the Web site or application previously ran under an identity that is still required by the Web site or application, configure the application pool to use that same identity.

For information about how to configure the identity for an application pool, see "Configure Application Pool Identity" in "IIS Deployment Procedures" in this book.

Assign the Web site or application to the new application pool.

For information about how to assign the Web site to the new application pool, see "Isolate Applications in Worker Process Isolation Mode" in "IIS Deployment Procedures" in this book.

For each Web site or application configured in Low or Medium isolation in IIS 5.0

In earlier versions of IIS, applications ran in-process as DLLs in Inetinfo.exe (Low isolation) and the default process identity (account that the application runs under) was LocalSystem. With worker process isolation mode in IIS 6.0, applications never run in Inetinfo.exe. However, any applications that are not explicitly assigned to an application pool are assigned to the default application pool, which runs under the NetworkService process identity by default. Because LocalSystem has the same permissions and user rights as a member of the Administrators group, run Web sites and applications under the security context of the NetworkService account.

For each Web site or application that ran in Low or Medium isolation in IIS 5.0, do one of the following:

When the Web site or application is able to function under the identity of the NetworkService account in the default application pool, continue to host the Web sites or applications in the default application pool, named "DefaultAppPool."

When the Web site or application is unable to function under the identity of the NetworkService account in the default application pool, perform the following steps:

Create a new application pool.

Create a service account to be used as the identity for the application pool.

For more information about how to create a service account to be used as an identity for an application pool, see "Create a Service Account" in "IIS Deployment Procedures" in this book.

Configure the application pool identity to use the service account.

For more information about how to configure the identity for an application pool, see "Configure Application Pool Identity" in "IIS Deployment Procedures" in this book.

Place the Web site or application in the new application pool.