- Store secrets in AWS Secrets Manager - Fri, Mar 17 2023
- Install Windows 10 / 11 22H2 without Microsoft account - Tue, Feb 28 2023
- Configuring IPvlan networking in Docker - Fri, Feb 24 2023
To keep up with the consistently increasing number of users on web applications, organizations tend to utilize technologies such as web farms, server clusters, and load balancing to offer increased availability, scalability, and manageability. When it comes to IIS, replicating the configuration to multiple servers and keeping them in sync was not easy back in the days of IIS 6.
In this article, we will discuss how to configure an IIS shared configuration.
Remember, this article does not cover how to set up a web farm or perform load balancing. You will learn how to keep the IIS configuration of multiple web servers in sync.
The following requirements must be met:
- At least two or more web servers having the IIS role and features installed.
- A network share accessible by all web servers using a UNC path, such as \\fileserver\IIS$\shared-config.
- A user account having suitable permissions to read the files on the network share.
Exporting the IIS shared configuration
To set up and enable the shared configuration, follow these steps:
- Create a user account that will be used to access the network share. It is a good idea to create a domain user.
New-ADUser -Name "IIS Config" ` -SamAccountName "IISConfig" ` -AccountPassword(Read-Host -AsSecureString "Enter password") ` -Enabled $true ` -PasswordNeverExpires $true ` -Description "User account for Shared IIS Config"
In a workgroup environment, you need to create the same user on all web servers and file servers that host the network share.
- Log in to the file server, create a network share to store the shared configuration files, and grant read permissions to the user account you created in Step 1.
New-Item D:\IIS\shared-config -Type Directory New-SMBShare –Name IIS$ ` –Path D:\IIS ` –FullAccess "TestLab\Domain Admins" ` -ReadAccess "TestLab\IISConfig" ` -Description "Network share for IIS shared config"
The above commands will create a shared folder that will be accessible on the \\fileserver\IIS$\shared-config UNC path in my network.
- Now, log in to one web server, open the IIS manager, and configure all the IIS settings properly on this server. This exact IIS configuration will later be exported for use as a shared configuration on all web servers.
- Once everything is configured on your web server, make sure the network share \\fileserver\IIS$\shared-config that you created in Step 2 is accessible from this server.
- Now click on the server name node in the IIS manager, and then double-click the Shared Configuration icon in the Features view.
- On the Shared Configuration page, click the Export Configuration link under the Actions pane on the right. The Export Configuration dialog box is displayed.
- In the export configurations dialog box, type the path of the network share, click the Connect As button, and then specify the credentials of the user you created in Step 1. Under the Encryption Keys section, type the password to protect the encryption keys that are exported along with the IIS configuration. Make a note of this password, as you will need it to enable the Shared Configuration feature on each web server. See the following screenshot for detailed reference:
After everything is filled in, click OK. If everything goes as expected, you will see a success message, as shown below:
The IIS configuration is now exported from the current web server to the network share. Have a look at the following screenshot:
Enabling the shared configuration
At this point, you have the shared configuration exported to a network share. The next step is to enable the shared configuration on each web server. To enable the shared configuration, log on to each web server and perform the following steps:
- Log in to the web server and open the IIS manager.
- Click the server name node, and then double-click the Shared Configuration icon in the Features view.
- On the Shared Configuration page, check the box that says Enable shared configuration. Now type the network share path and user account information, as shown in the following screenshot, and then click Apply under the Actions pane on the right.
- In the dialog box that is displayed, enter the encryption key password you set during export. Then click OK.
A message is displayed informing you that your existing IIS encryption keys will be backed up in the current configuration directory (%windir%\system32\inetsrv\config) on your local computer.
- Click OK to confirm.
Finally, you will see a message saying that the changes have been successfully saved. You need to close and reopen the IIS manager.
- Click OK to confirm.
- Now, close the IIS manager and open it again to recognize the configuration changes.
That's it. Your web server is now all set to use a shared configuration for IIS.
The information about shared configuration is stored in a file named redirection.config, which is available in the %windir%\system32\inetsrv\config directory on the web server.
Remember that IIS will no longer use the administration.config and applicationHost.config files that are available in this directory. Instead, it uses the configuration files stored on the network share.
Subscribe to 4sysops newsletter!
That is all for this guide. Once the shared configuration is enabled on multiple web servers, you can make the changes using the IIS manager from any web server, and those changes will be automatically pulled by other partner web servers so that the IIS configuration always remains the same on each server. This significantly reduces the excess administrative burden of managing each web server individually.
Want to write for 4sysops? We are looking for new authors.
What are the Powershell commands for enabling shared config and adding additional servers?
Use the following PowerShell commands:
Repeat the last command on additional webservers to enable shared IIS config.