Discover the IIS Metabase: Unlock the Details of Your Web Server Configuration
At a Glance:
- Backing up and restoring the metabase
- Editing the metabase
- Importing and exporting the metabase
Some of the major changes in IIS 6.0, the latest Web server from Microsoft, are happening in the metabase. In IIS 4.0 and IIS 5.0, the metabase, which functions as a hierarchical storage facility for configuration information and schema,
was stored in Meta-Base.bin—a binary file that was unique to each machine. In IIS 6.0, the metabase is stored in two plain-text XML files. Given that these are plain text, it is a fairly straightforward process to edit the configuration and schema data using most any commonly available text-editing tools. Import, export, backup, and restoration procedures for the database all become easier, as well.
Figure 1 New Metabase Archive
There are actually three parts to the metabase: two XML files and the in-memory metabase. MetaBase.xml and MBSchema.xml are found in the \windows\system32\inetsrv folder. The MetaBase.xml file contains the bulk of the configuration information used by IIS and is stored in a hierarchical manner. The MBSchema.xml file contains the schema used to define how information is stored in the MetaBase.xml file and enforces these key values. The in-memory metabase uses the information contained in both the MetaBase.xml and MBSchema.xml files whenever IIS is started or restarted. The Metabase Storage Layer, through the use of the Admin Base Objects (ABOs), which is a set of binary COM interfaces, reads both the MBSchema.xml and MetaBase.xml files and writes that information to the in-memory metabase. The Metabase Storage Layer also writes changes back to the XML files when a write-to-disk event occurs. Figure 1 depicts the architecture.
Whenever changes are made through the Internet Services Manager (ISM) Snap-In or other programmatic interfaces (as shown in Figure 1), these changes are first written to the in-memory metabase and then to the MetaBase.xml file either after a set period of time or after a specific number of changes. You can also force this to occur by stopping and then restarting IIS using either the ISM or a command line.
Backing Up and Restoring the Metabase
It is very important to make backups of your metabase as part of a regular disaster recovery strategy. Keep in mind that the metabase backs up only the configuration information for IIS, not the content. Backups are created in the \windows\system32\Inetsrv\MetaBack folder by default. There are two new types of backups in IIS 6.0: portable and non-portable; the difference between the two is in how they are secured. To create a backup, right-click Computer Name in the ISM, choose All Tasks, then Configuration Backup/Restore (see Figure 2).
Figure 2 Backup and Restore Configuration
At this point you have the option of either simply selecting OK or clicking the Encrypt backup using password option. If you choose OK, you will not supply a password and the backup will be machine-specific. In this type of backup, the secure properties of the metabase will still be encrypted, but using machine-specific information, hence making the backup non-portable. If you choose the Encrypt backup using password option, the password is encrypted into the header of the configuration file and used to encrypt the secure properties of the metabase. Since the password is stored in encrypted form within the header, the file itself can be copied to another server (making it portable).
You restore a database in much the same way as you initially created the backup. Go to ISM, right-click Computer Name, choose All Tasks, then choose Configuration Backup/Restore and specify which backup you want to restore.
Another new feature of the IIS metabase is automatic versioning and history. This feature automatically tracks any configuration changes to the metabase that have been saved to the disk. These changes are time-stamped copies of the MetaBase.xml and MBSchema.xml files and are saved in the \windows\system32\Inetsrv\history folder as a history file pair. The unique version number of each history file pair is determined by whether it is a major or minor revision. The number of a major version is increased by one whenever a change is written from the in-memory metabase. The number of a minor version is increased by one whenever the edit-while-running feature is used—that is, when an administrator makes a manual change to the database. The minor version is reset to zero whenever the major version is incremented by one
Since only the last 10 versions are saved (by default), the oldest, as determined by time stamp, is deleted to make room for the newest version. This feature gives an administrator the ability to revert the metabase to any previously saved configuration that is in the \windows\system32\Inetsrv\history folder. It is recommended that you do not save fewer than the 10 versions saved by default. You can save more, however; you just need to be aware of how much disk space is being used by the file pairs. In the example just shown, each file pair is using 283KB of space. You can adjust the number of saved versions by adjusting MaxHistoryFiles="10" in the Metabase.xml file:
<IIsComputer Location="/LM" EnableEditWhileRunning="0" EnableHistory ="1" MaxBandwidth="4294967295" MaxHistoryFiles="10"/>
Your ability to edit the metabase has been greatly enhanced in IIS 6.0. Since the metabase is built using XML files, you can now edit the file using any text editor program. You can also edit the metabase while IIS is running (without having to stop IIS services) by enabling the edit-while-running feature. This new feature is not enabled by default, but can be enabled through either the ISM or command line. To enable it through the ISM, right-click on the server name, click properties, and then select the Enable Direct Metabase Edit option (see Figure 3). You have several options to enable this feature through the command line. You can manually edit the MetaBase.xml file and change the EnableEditWhileRunning value from 0 to 1 (note: you’ll have to do this while IIS is stopped, and restart it once you’re finished). The entry should look like this:
<IIsComputer Location="/LM" EnableEditWhileRunning="1" EnableHistory="1"
You can also use the adsutil.vbs script, which ships with IIS 6.0, and issue the following command:
c:\Inetpub\AdminScripts> cscript adsutil.vbs set EnableEditWhileRunning 1
Figure 3 Edit the Metabase with IIS Running
Other best practices for editing the metabase and maintaining metabase integrity can be found at Best Practices for Maintaining Metabase Integrity (IIS 6.0). For more information about using the Metabase Explorer to perform editing and other tasks, see the "Metabase Explorer" sidebar.
Exporting the Metabase
Exporting the metabase allows an administrator to create a file that contains only selected elements from a specific metabase configuration file. This file can then be used for a number of different purposes: an administrator can later import the file back into the same machine, the configuration file can be imported into other machines, or it can be used as a metabase template to create numerous other servers with the same configuration. This feature does not replace performing regular backups of your IIS Server. The export file that you create does not contain any of the content elements of a Web site, only its configuration details.
The only elements exported are those that the administrator explicitly designates as such and can include all or parts of application pools, directories and virtual directories, and sites (FTP, NNTP, SMTP, and Web). You must be a member of the administrators group, or have been delegated permission, in order to perform import/export functions.
There are several tools available to export or import a metabase file: you can use the ISM, utilize the iiscnfg.vbs script (which is installed along with IIS), or create your own custom script. The ISM is the easiest to use for exporting and importing. Just open it, right-click the element you want to export (for example, a Web or FTP site), click All Tasks and then choose Save Configuration to a File (see Figure 4).
Figure 4 Exporting the Metabase Via The ISM
With the Save Configuration to a File dialogue box open, you can specify a file name and a path to the storage location. You can choose to encrypt the file by enabling the option Encrypt configuration using password. Encrypting an exported metabase file works the same as encrypting a backup file, as discussed earlier in this article.
If you choose not to specify a password, any secure fields in the metabase will be encrypted with machine specific information, and hence the exported file will not be portable. If you do choose to specify a password, that password will be encrypted along with the secure properties in the metabase file, and the file will be portable to other machines.
You can also use the script isscnfg.vbs as a means to export and import a file. To use the script, open a command prompt, navigate to the \windows\system32 folder, and type:
Cscript iiscnfg.vbs /export /f filename.xml /sp /lm/w3svc/X (where x is the identifier number, 5 in this case) /d p@ssw0rd1
Importing the Metabase
The way you import the metabase depends on whether you are importing to the same machine or a different machine. To import to the same machine, open the ISM, right-click the element (a Web or FTP site) you want to import the data into and click New. From there, specify what you want to bring in from the configuration file—a Web Site (from file), Virtual Directory (from file), FTP site (from file), and so on.
Then you must specify the file location and click Read File. At this point, you can choose what configuration you want to import from the Select a configuration to import window (see Figure 5).
Figure 5 Selecting a Configuration
To use a command line to import a configuration file, you can use the iiscnfg.vbs script mentioned earlier. To do so, open a command prompt, navigate to the \windows\system32 folder and type: Cscript iiscnfg.vbs /import /f (path to where the .xml file to be imported is located), /sp (source path) /lm/w3svc/X (where x is the identifier number, 5 in this case), /dp (destination path) /lm/w3svc/X (identifier number, 5 in this case) /d [password]. The resulting command line will look like this:
c:\windows\system32>Cscript iiscnfg.vbs /import /f c:\ export.xml /sp /lm/w3svc/5 /dp /lm/w3svc/5 /d p@ssw0rd1
There is one special switch associated with iiscnfg.vbs that allows you to copy the entire metabase (MetaBase.xml and MBSchema.xml) from one machine to another: the iiscnfg /copy. This would be particularly useful if you had a number of servers to create with similar structures.
As you can see, there are some very useful tools available for an administrator to effectively and efficiently manage multiple Web servers. IIS 6.0 has matured into a robust and stable server and the new features and capabilities of the metabase play an important role in its ease-of-use.
IIS Metabase Explorer 1.6 (mbexplorer.exe) provides a graphical user interface for viewing and editing IIS metabase stores. You can use Metabase Explorer to export and import keys and subkeys, copy keys and subkeys, edit security settings for keys, and compare records within the metabase.
This tool can be used to perform a wide variety of tasks to help you manage the IIS Metabase. For example, you can use it to back up or restore parts of the metabase. You can also use it to reset the default IIS Web site, or allow a nonadministrator account to change the metabase by adding a restricted write access control list (ACL) to specific metabase nodes.
Metabase Explorer can be used to edit the metabase for IIS versions 4.0, 5.0, and 6.0, and lets you connect to both local and remote metabases. To use Metabase Explorer, you’ll need to install the IIS 6.0 Resource Kit Tools (see Knowledge Base article 840671 The IIS 6.0 Resource Kit Tools for download details).
IIS Metabase Explorer 1.6
Randy Muller (MCT, MCSE, MCSA, MCDST) teaches a variety of networking, security and other computer classes. He is a former Army Signal Corp Officer and has been teaching since 2000. You can contact Randy at firstname.lastname@example.org
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.