Exporting IIS Configurations Using Iiscnfg.vbs

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

You can use the command-line script iiscnfg.vbs, which is stored in systemroot\System32, to copy all or part of an IIS metabase to an XML file, in an encrypted or unencrypted format. The XML file can be used in an /import operation to copy all or part of the metabase to another IIS configuration.

The computer issuing the command must be running Windows XP or a member of the Windows Server 2003 family. The computer that the command affects must be running a member of the Windows Server 2003 family with IIS 6.0.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).

This topic includes the following information:

  • Overview: Key concepts in understanding the export procedures.

  • Syntax: The order in which you type a command and any arguments and options that follow it.

  • Parameters: The values that are given to variables in the command.

  • Examples: Sample code and an explanation of the results.

Overview

The metabase of an IIS server includes system-specific and computer-specific properties. Do not export the configuration of one IIS server to another IIS server without modification. Instead, use Backing Up IIS Configurations Using Iisback.vbs or the Exporting IIS Configurations Using Iiscnfg.vbs/copy operation, both of which replace system-specific and computer-specific properties so that the configuration is valid on the destination computer.

Iiscnfg.vbs provides an option to include inherited properties in the export file.

To prevent unauthorized use of export files, iiscnfg.vbs allows you to encrypt the export file with a password. The password encrypts the session key which, in turn, encrypts all of the properties for which the secure attribute is set.

You can read an encrypted export file (only the session key and secure properties are encrypted) and you can delete the file. However, you cannot use the export file in an /import operation unless you provide the encrypting password. Also, you cannot remove the password encryption from an export file or change the encrypting password.

The /copy operation changes the computer-specific and system-specific properties in the metabase so that they are valid on the target computer. However, it does not adjust the directory or file paths. As a result, paths in the configuration might not be valid on the target computer.

Syntax

iiscnfg /export/f [Path\]FileName.xml/sp SourcePath [/d EncryptingPassword] [/inherited] [/children*] [*/s Computer [/u [Domain\]User [/p Password]]]

Parameters

/f *[Path\]FileName.*xml

Required. Specifies a unique name and location for the export file. If you specify an existing file or if the directories in the path you specify do not exist, the command fails. Also, the file path must be local. When exporting a file from a remote computer, the /f parameter refers to a path on the remote computer.

/sp SourcePath

Required. Specifies the metabase keys to export. Enter a metabase path, including /lm/ root, to indicate the selected keys.

/d EncryptingPassword

Encrypts the export file with the specified password. You can use any string as the password. The /d parameter creates a secure export file by encrypting the session key and secure properties with the specified password. You must provide the password to use the file in an /import operation.

If you omit this parameter or omit the password argument, then the export file is encrypted with a blank password. As a result, only the secure properties are encrypted and any administrator can use the export file to import a metabase configuration.

/inherited

Adds the inherited properties of the exported keys to the export file. Without this parameter, the export file does not include properties inherited from higher-level keys. If you select this option, iiscnfg.vbs adds the inherited properties of the exported keys to an IIsInheritedProperties key in the export file. When you import keys from this file, you can elect to import the inherited properties with the keys.

Note

When inherited properties are imported, the imported keys retain the properties they inherited in the exporting configuration. If inherited properties are not imported, the keys inherit the properties of the importing configuration.

/children

Recursively adds the subkeys of the specified key to the export file.

/s Computer

Runs the script on the specified remote computer. Type the computer name or IP address without backslashes. The default is the local computer.

/u [Domain\]User

Runs the script with the permissions of the specified user account. This account must be a member of the Administrators group on the remote computer. By default, the script runs with the permissions of the current user of the local computer.

/p Password

Specifies the password of the user account that is specified in the /u parameter. If you omit this parameter, the script prompts you for the password and obscures the text you type.

Examples

Example 1:

The following example exports the configuration of the Finance Web site to the C:\Finance\Finance.xml file. The command uses the /sp parameter to specify the metabase path of the Web site, which is /lm/W3SVC/2, and the /children parameter to export all of the subkeys of the configuration. It also uses the /inherited parameter to include inherited properties in the export file. This ensures that the Web site configuration retains these properties even if it is imported into a different system.

iiscnfg /export /f c:\finance\finance.xml /sp /lm/w3svc/2 /children /inherited

In response, iiscnfg displays the following success message:

Configuration exported from /lm/w3svc/2 to file c:\finance\finance.xml

The resulting file includes all of the keys and subkeys within the /lm/w3svc/2 path. It also includes an IisInheritedProperties key that contains the values of all of the inherited properties.

Example 2:

The following example exports the IIS configuration of the local computer to the D:\IIStest\Config.xml file. It uses the /f parameter to specify the file name and location and the /sp parameter to specify the root key (/) of the metabase. The /children parameter adds all of the subkeys of the root key recursively to the export file. (Without the /children parameter, only the root key is exported.) Finally, the command uses the /d parameter and a password to encrypt the export file.

iiscnfg /export /f d:\iistest\config.xml /sp / /children /d p@sswoRd61

In response, iiscnfg displays the following success message:

Configuration / has been exported to d:\iistest\config.xml

Even a complete export of the configuration is not identical to the MetaBase.xml file for the system. The session key, access control lists (ACLs), and passwords differ.

You cannot tell by looking at the export file that it is encrypted. However, if you compare an encrypted and unencrypted version of the same file, you can see that the values of the secure properties are changed in the encrypted version. Therefore, the file cannot be used in an import command without the password.