IIS shared configuration

Since version 7, Internet Information Services (IIS) has offered a built-in feature known as IIS Shared Configuration, which uses the idea of storing the applicationHost.config, administration.config, and configEncKey.key (encryption key) files used by IIS in a network share. You can then configure multiple web servers to utilize these configuration files, and any change to the IIS configuration seamlessly propagates to other servers without any additional tool or administrative effort.

Contents

Requirements
Exporting the IIS shared configuration
Enabling the shared configuration

Author
Recent Posts

Surender Kumar

Surender Kumar has more than twelve years of experience in server and network administration. His fields of interest are Windows Servers, Active Directory, PowerShell, web servers, networking, Linux, virtualization, and penetration testing. He loves writing for his blog.

Latest posts by Surender Kumar (see all)

Store secrets in AWS Secrets Manager - Fri, Mar 17 2023
Install Windows 10 / 11 22H2 without Microsoft account - Tue, Feb 28 2023
Configuring IPvlan networking in Docker - Fri, Feb 24 2023

To keep up with the consistently increasing number of users on web applications, organizations tend to utilize technologies such as web farms, server clusters, and load balancing to offer increased availability, scalability, and manageability. When it comes to IIS, replicating the configuration to multiple servers and keeping them in sync was not easy back in the days of IIS 6.

In this article, we will discuss how to configure an IIS shared configuration.

Requirements

Remember, this article does not cover how to set up a web farm or perform load balancing. You will learn how to keep the IIS configuration of multiple web servers in sync.

The following requirements must be met:

At least two or more web servers having the IIS role and features installed.
A network share accessible by all web servers using a UNC path, such as \\fileserver\IIS$\shared-config.
A user account having suitable permissions to read the files on the network share.

Exporting the IIS shared configuration

To set up and enable the shared configuration, follow these steps:

Create a user account that will be used to access the network share. It is a good idea to create a domain user.

New-ADUser -Name "IIS Config" `
		-SamAccountName "IISConfig" `
		-AccountPassword(Read-Host -AsSecureString "Enter password") `
		-Enabled $true `
		-PasswordNeverExpires $true `
		-Description "User account for Shared IIS Config"

Creating a new AD user using PowerShell

In a workgroup environment, you need to create the same user on all web servers and file servers that host the network share.

Log in to the file server, create a network share to store the shared configuration files, and grant read permissions to the user account you created in Step 1.

New-Item D:\IIS\shared-config -Type Directory
New-SMBShare –Name IIS$ `
    –Path D:\IIS `
    –FullAccess "TestLab\Domain Admins" `
    -ReadAccess "TestLab\IISConfig" `
    -Description "Network share for IIS shared config"

Creating a network share using PowerShell

The above commands will create a shared folder that will be accessible on the \\fileserver\IIS$\shared-config UNC path in my network.

Now, log in to one web server, open the IIS manager, and configure all the IIS settings properly on this server. This exact IIS configuration will later be exported for use as a shared configuration on all web servers.
Once everything is configured on your web server, make sure the network share \\fileserver\IIS$\shared-config that you created in Step 2 is accessible from this server.
Now click on the server name node in the IIS manager, and then double-click the Shared Configuration icon in the Features view.

Opening the IIS shared configuration feature in the IIS manager

On the Shared Configuration page, click the Export Configuration link under the Actions pane on the right. The Export Configuration dialog box is displayed.

Opening the Exporting Configuration dialog box in the IIS manager

In the export configurations dialog box, type the path of the network share, click the Connect As button, and then specify the credentials of the user you created in Step 1. Under the Encryption Keys section, type the password to protect the encryption keys that are exported along with the IIS configuration. Make a note of this password, as you will need it to enable the Shared Configuration feature on each web server. See the following screenshot for detailed reference:

Exporting the IIS configuration to a network share using the IIS manager

After everything is filled in, click OK. If everything goes as expected, you will see a success message, as shown below:

Export of configuration files was successful

The IIS configuration is now exported from the current web server to the network share. Have a look at the following screenshot:

Viewing the exported shared configuration in the file explorer

Enabling the shared configuration

At this point, you have the shared configuration exported to a network share. The next step is to enable the shared configuration on each web server. To enable the shared configuration, log on to each web server and perform the following steps:

Log in to the web server and open the IIS manager.
Click the server name node, and then double-click the Shared Configuration icon in the Features view.
On the Shared Configuration page, check the box that says Enable shared configuration. Now type the network share path and user account information, as shown in the following screenshot, and then click Apply under the Actions pane on the right.

Enabling the shared configuration in the IIS manager

In the dialog box that is displayed, enter the encryption key password you set during export. Then click OK.

Enter the encryption keys password

A message is displayed informing you that your existing IIS encryption keys will be backed up in the current configuration directory (%windir%\system32\inetsrv\config) on your local computer.

Click OK to confirm.

Your existing IIS encryption keys will be backed up in the current configuration directory on your local computer

Finally, you will see a message saying that the changes have been successfully saved. You need to close and reopen the IIS manager.

Click OK to confirm.

The changes have been successfully saved

Now, close the IIS manager and open it again to recognize the configuration changes.

That's it. Your web server is now all set to use a shared configuration for IIS.

The information about shared configuration is stored in a file named redirection.config, which is available in the %windir%\system32\inetsrv\config directory on the web server.

Viewing the redirection.config file on the web server

Remember that IIS will no longer use the administration.config and applicationHost.config files that are available in this directory. Instead, it uses the configuration files stored on the network share.

Subscribe to 4sysops newsletter!

That is all for this guide. Once the shared configuration is enabled on multiple web servers, you can make the changes using the IIS manager from any web server, and those changes will be automatically pulled by other partner web servers so that the IIS configuration always remains the same on each server. This significantly reduces the excess administrative burden of managing each web server individually.

Want to write for 4sysops? We are looking for new authors.

4sysops members can earn and read without ads!

2 Comments

First Last 9 months ago

What are the Powershell commands for enabling shared config and adding additional servers?

Surender Kumar (Rank 4) 9 months ago

Hi,
Use the following PowerShell commands:

$EncryptionPwd = Read-Host -AsSecureString
$Pwd = Read-Host -AsSecureString

# Exporting IIS Configuration and keys
Export-IISConfiguration -PhysicalPath "Z:\IISConfig" -KeyEncryptionPassword $EncryptionPwd

# Enabling Shared Configuration
Enable-IISSharedConfig -PhysicalPath "Z:\IISConfig" -KeyEncryptionPassword $EncryptionPwd -UserName "domain\admin" -Password $Pwd

Repeat the last command on additional webservers to enable shared IIS config.

Requirements

Exporting the IIS shared configuration

Enabling the shared configuration

Subscribe to 4sysops newsletter!

IIS and Exchange Server security with Windows Extended Protection (WEP)

Automate file downloads with Windows FTP or curl

How to use curl on Windows

Troubleshoot HTTP Error 403.14 – Forbidden in IIS

How to fix HTTP Error 503 – The service is unavailable

Debugging an IIS 500 – Internal server error

Troubleshoot 401 – Unauthorized: Access is denied due to invalid credentials in IIS

IIS Failed Request Tracing

Enable detailed IIS errors

Increase IIS performance with HTTP/3 in Windows Server 2022

Use OpenSSL-based software XCA as offline root certificate authority for AD Certificate Services

Install LAMP stack (Apache, MySQL, PHP) on the Subsystem for Linux 2 (WSL2)

Check all Windows Servers for expiring certificates using PowerShell

Automatic renewal of Let’s Encrypt SSL certificates with Cloudflare using Ansible

Manage Internet Information Services (IIS) using Windows Admin Center (WAC)

Install and manage IIS with SSL using PowerShell

Monitor web server uptime with a PowerShell script

Leave a reply Click here to cancel the reply

Subscribe to Newsletter

Follow 4sysops

CONTACT US

IIS shared configuration

Requirements

Exporting the IIS shared configuration

Enabling the shared configuration

Subscribe to 4sysops newsletter!

Leave a reply Click here to cancel the reply

Subscribe to Newsletter

Follow 4sysops

CONTACT US

Log in with your credentials

Forgot your details?

Create Account