Since version 7, Internet Information Services (IIS) has offered a built-in feature known as IIS Shared Configuration, which uses the idea of storing the applicationHost.config, administration.config, and configEncKey.key (encryption key) files used by IIS in a network share. You can then configure multiple web servers to utilize these configuration files, and any change to the IIS configuration seamlessly propagates to other servers without any additional tool or administrative effort. 

To keep up with the consistently increasing number of users on web applications, organizations tend to utilize technologies such as web farms, server clusters, and load balancing to offer increased availability, scalability, and manageability. When it comes to IIS, replicating the configuration to multiple servers and keeping them in sync was not easy back in the days of IIS 6.

In this article, we will discuss how to configure an IIS shared configuration.

Requirements

Remember, this article does not cover how to set up a web farm or perform load balancing. You will learn how to keep the IIS configuration of multiple web servers in sync.

The following requirements must be met:

  • At least two or more web servers having the IIS role and features installed.
  • A network share accessible by all web servers using a UNC path, such as \\fileserver\IIS$\shared-config.
  • A user account having suitable permissions to read the files on the network share.

Exporting the IIS shared configuration

To set up and enable the shared configuration, follow these steps:

  1. Create a user account that will be used to access the network share. It is a good idea to create a domain user.
New-ADUser -Name "IIS Config" `
		-SamAccountName "IISConfig" `
		-AccountPassword(Read-Host -AsSecureString "Enter password") `
		-Enabled $true `
		-PasswordNeverExpires $true `
		-Description "User account for Shared IIS Config"
Creating a new AD user using PowerShell

Creating a new AD user using PowerShell

In a workgroup environment, you need to create the same user on all web servers and file servers that host the network share.

  1. Log in to the file server, create a network share to store the shared configuration files, and grant read permissions to the user account you created in Step 1.
New-Item D:\IIS\shared-config -Type Directory
New-SMBShare –Name IIS$ `
    –Path D:\IIS `
    –FullAccess "TestLab\Domain Admins" `
    -ReadAccess "TestLab\IISConfig" `
    -Description "Network share for IIS shared config"
Creating a network share using PowerShell

Creating a network share using PowerShell

The above commands will create a shared folder that will be accessible on the \\fileserver\IIS$\shared-config UNC path in my network.

  1. Now, log in to one web server, open the IIS manager, and configure all the IIS settings properly on this server. This exact IIS configuration will later be exported for use as a shared configuration on all web servers.
  2. Once everything is configured on your web server, make sure the network share \\fileserver\IIS$\shared-config that you created in Step 2 is accessible from this server.
  3. Now click on the server name node in the IIS manager, and then double-click the Shared Configuration icon in the Features view.
Opening the IIS shared configuration feature in the IIS manager

Opening the IIS shared configuration feature in the IIS manager

  1. On the Shared Configuration page, click the Export Configuration link under the Actions pane on the right. The Export Configuration dialog box is displayed.
Opening the Exporting Configuration dialog box in the IIS manager

Opening the Exporting Configuration dialog box in the IIS manager

  1. In the export configurations dialog box, type the path of the network share, click the Connect As button, and then specify the credentials of the user you created in Step 1. Under the Encryption Keys section, type the password to protect the encryption keys that are exported along with the IIS configuration. Make a note of this password, as you will need it to enable the Shared Configuration feature on each web server. See the following screenshot for detailed reference:
Exporting the IIS configuration to a network share using the IIS manager

Exporting the IIS configuration to a network share using the IIS manager

After everything is filled in, click OK. If everything goes as expected, you will see a success message, as shown below:

Export of configuration files was successful

Export of configuration files was successful

The IIS configuration is now exported from the current web server to the network share. Have a look at the following screenshot:

Viewing the exported shared configuration in the file explorer

Viewing the exported shared configuration in the file explorer

Enabling the shared configuration

At this point, you have the shared configuration exported to a network share. The next step is to enable the shared configuration on each web server. To enable the shared configuration, log on to each web server and perform the following steps:

  1. Log in to the web server and open the IIS manager.
  2. Click the server name node, and then double-click the Shared Configuration icon in the Features view.
  3. On the Shared Configuration page, check the box that says Enable shared configuration. Now type the network share path and user account information, as shown in the following screenshot, and then click Apply under the Actions pane on the right.
Enabling the shared configuration in the IIS manager

Enabling the shared configuration in the IIS manager

  1. In the dialog box that is displayed, enter the encryption key password you set during export. Then click OK.
Enter encryption keys password

Enter the encryption keys password

A message is displayed informing you that your existing IIS encryption keys will be backed up in the current configuration directory (%windir%\system32\inetsrv\config) on your local computer.

  1. Click OK to confirm.
Your existing IIS encryption keys will be backed up in the current configuration directory on your local computer

Your existing IIS encryption keys will be backed up in the current configuration directory on your local computer

Finally, you will see a message saying that the changes have been successfully saved. You need to close and reopen the IIS manager.

  1. Click OK to confirm.
The changes have been successfully saved

The changes have been successfully saved

  1. Now, close the IIS manager and open it again to recognize the configuration changes.

That's it. Your web server is now all set to use a shared configuration for IIS.

The information about shared configuration is stored in a file named redirection.config, which is available in the %windir%\system32\inetsrv\config directory on the web server.

Viewing the redirection.config file on the web server

Viewing the redirection.config file on the web server

Remember that IIS will no longer use the administration.config and applicationHost.config files that are available in this directory. Instead, it uses the configuration files stored on the network share.

Subscribe to 4sysops newsletter!

That is all for this guide. Once the shared configuration is enabled on multiple web servers, you can make the changes using the IIS manager from any web server, and those changes will be automatically pulled by other partner web servers so that the IIS configuration always remains the same on each server. This significantly reduces the excess administrative burden of managing each web server individually.

2 Comments
  1. First Last 1 year ago

    What are the Powershell commands for enabling shared config and adding additional servers?

    • Author

      Hi,
      Use the following PowerShell commands:

      $EncryptionPwd = Read-Host -AsSecureString
      $Pwd = Read-Host -AsSecureString
      
      # Exporting IIS Configuration and keys
      Export-IISConfiguration -PhysicalPath "Z:\IISConfig" -KeyEncryptionPassword $EncryptionPwd
      
      # Enabling Shared Configuration
      Enable-IISSharedConfig -PhysicalPath "Z:\IISConfig" -KeyEncryptionPassword $EncryptionPwd -UserName "domain\admin" -Password $Pwd
      

      Repeat the last command on additional webservers to enable shared IIS config.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account