Partager via


Metabase Protection

When developing IIS applications, it is recommended that you protect the configuration data in the metabase by saving a copy that can be restored later.

Note

Application content and SSL certificates are not included in the backup files, history files, or export files that IIS creates, and must be handled separately. SSL certificates must be installed before restoring IIS configuration files.

Metabase Backup and Restore

You can proactively create backup metabase files or allow IIS to automatically back up the metabase in history files. From these files, you can restore a last-known-good configuration or use a file comparison tool like WinDiff to compare an old history file with a corrupted metabase. (Comparison is more difficult in versions of IIS previous to 6.0 because the metabase file is in binary format.)

By default, the metabase history feature is enabled, which schedules the creation of backups whenever the in-memory metabase is written to disk. When this occurs, the previous copy of the metabase on disk is written to a history file before the current in-memory metabase overwrites it. It can be difficult to identify which history file is the last known good file unless you proactively create a backup file yourself before making changes.

You can programmatically configure the metabase history feature and create backup files using methods that are available in the IIsComputer class of the Active Directory Service Interfaces (ADSI) provider for IIS, the IIsComputer class of the Windows Management Instrumentation (WMI) provider for IIS 6.0, or the IMSAdminBase::Backup method of the Admin Base Objects (ABO).

IIS 6.0: You can also use the Iisback.vbs command-line tool which comes with IIS 6.0 to configure the metabase history feature.

Metabase Import and Export

IIS 5.1 and earlier: Metabase Import and Export is not available, but there are IIS 6.0 Resource Kit tools such as MBExplorer, and third-party tools such as MetaEdit, which can be used to export and import portions of the metabase.

You can export all or part of an IIS 6.0 metabase to an export file. Using the export file as a last-known-good configuration, you can import it back to an IIS server or use a file comparison tool like Microsoft WinDiff to compare an old export file with a section of a corrupted metabase.

You can also use the export option to save a portion of the metabase for the purpose of creating an installation package for an application. An export file can be imported to another IIS 6.0 server if, during the export, you provide a password to encrypt data in the secure properties. If you do not provide a password, the machine key of the IIS server is used to encrypt data in the secure properties, and the exported data can only be imported back to the same computer on which it was created.

Computer-specific properties must be deleted or changed in an export file before the file can be imported to another computer. Computer-specific properties that must be changed are those that contain file system paths or account names. Computer-specific properties that must be deleted are those that contain access control lists (ACLs) or passwords.

If you are going to use the import and export features of IIS 6.0, it is important to understand how inheritance works in the metabase. Inheritable properties are those that are passed down to child nodes. Inherited properties are those that a child node inherits from a parent. Be sure to think through the effects of the inherited and inheritable properties of both the export file and the destination metabase, or you might find that unexpected property values have been set after the import is completed.

You can programmatically create export files using the methods that are available in the IIsComputer class of the Active Directory Service Interfaces (ADSI) provider for IIS, the IIsComputer class of the Windows Management Instrumentation (WMI) provider for IIS 6.0, or the IMSAdminBase::Export method of the Admin Base Objects (ABO).

You can also use the Iiscnfg.vbs command-line tool that comes with IIS 6.0 to configure the metabase history feature.