Terry
Mon Jan 24 10:17:02 CST 2005
If I use domain credentials for everything, can I also use iiscnfg /export
and /import to deploy changes to single sites without worrying about deleting
"machine-specific" keys?
Also, can you give me a better (more complete and accurate) explanation of
what the /inherited and /merge switches do? The IIS documentation is very
terse on both.
Thanks!
"David Wang [Msft]" wrote:
> The behavior you observe with /copy ( IUSR/IWAM ) is by-design.
>
> When you have a group of machines running IIS6 that are supposed to be "the
> same", you have the following strategies:
> 1. Make sure all configured user credentials on all servers are identical --
> i.e. AnonymousUsername, WAMUsername, UNCUsername, AppPool Identity, etc.
> This way, restoring metabase configuration won't look like duplication
> 2. Instead of local user credentials on #1, use common domain credentials
>
> #2 is probably the smoothest way to go since the domain credential ensures
> that all ACLs (and their SIDs) are the same on all the servers in the group.
> #1 only ensures that the user credential is the same (so IIS authenticates
> ok), but the SIDs on each server's ACLs are not the same, so you can't copy
> files between the servers with expectation of similar ACL since the SID is
> not the same.
>
> --
> //David
> IIS
>
http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Terry" <Terry@discussions.microsoft.com> wrote in message
> news:00951D10-3469-4AFE-BDF9-4AF2049AF80A@microsoft.com...
> I have spent days trying to determine the best way to deploy our MetaBase
> changes to a server group and cannot be confident that I have the answer.
>
> The best result has been with using:
>
> > iiscnfg /copy /s stage01 /u dom\user /p pass /ts prod01 /tu dom\user /tp
> pass
>
> The documentation says that /copy "changes the computer-specific and
> system-specific properties in the metabase so that they are valid on the
> target computer."
>
> I read the iiscnfg.vbs script, and can not see where any metabase
> information is changed. It simply maps the admin$ shares on the 2 computers
> issues the command:
>
> > iisback /backup /s svr1 /u usr /p pwd /b iisreplback /overwrite
>
> Next it copies the backup files to the target computer and issues:
>
> > iisback /restore /s svr1 /u usr /p pwd /b iisreplback
>
> It never changes anything in the metabase as far as I can see. So the
> question is, are the AdminACLs and IUSR and IWAM account settings valid on
> the target server?
>
> Everything seems to work. The only problem is that the /copy command creates
> local IUSR and IWAM accounts on the destination server that match the source
> server name.
>
> Before I use this method to build my production Web servers, can anyone tell
> me if this is not a valid way to do a metabase deployment. Any advice would
> be greatly appreciated.
>
>
>