Most Important AppCmd Commands: Backing up and restoring IIS7 configuration

Welcome to the first post of the "Most Important AppCmd Commands" series.  Have you ever made some changes to a system's state, and then after everything suddenly stopped working, wondered how the hell you are going to get back to a working state?  Well, this post is all about doing just that when you are working with IIS7's configuration.

Usually, the state of the IIS7 server is comprised of the following things: 1) the installed IIS7 files managed by Windows setup, 2) the IIS7 configuration, and 3) your application files.  The first is protected by System File Protection, so its not easy to accidentally mess up, and can be restored by using Windows setup.  The application files are your own, and one would expect to have a backup of these somewhere so that you can recover from making unintended changes to them on the server. 

The IIS7 configuration is our focus here, because its something that is frequently modified by different components during their installation, or by you in order to configure your application to behave in the specific way you need.  In previous versions of IIS, this configuration was stored exclusively in the metabase, which was first a binary (IIS 4) and then an XML (IIS5-6) file in the %windir%system32inetsrv directory.  With IIS7, even though most configuration can be stored in the distributed web.config files within the application hierarchy, and therefore can be backed up with the application itself, a number of settings still need to be stored in a central server configuration file, called applicationHost.config.  This file contains the site/application/virtual directory/application pool definitions, and the default configuration settings for all sites on the machine.

As such, any time you create / delete sites or applications, or set global configuration on the server, applicationHost.config is modified.  If you accidentally make changes to this file that cause undesired behavior, you will often want to restore a previous known-good version of this file instead of trying to modify the file piece by piece to get back to a good state.

To enable this, AppCmd.exe provides the BACKUP object that allows you to easily back-up, and restore the global server configuration.  To get more information about the commands of the BACKUP object, type in: AppCmd backup /?

1) Creating a backup

To create a backup, simply type in:

>AppCmd Add Backup "BackupName"

You can omit the name, in which case AppCmd is going to generate the backup name automatically using the current date and time.  When a backup is created, the following happens:

  1. A directory with the backup name is created under the %windir%system32inetsrvbackup directory.
  2. AppCmd copies the current configuration files into the backup directory, including applicationHost.config (IIS global configuration), administration.config (Admin Tool's configuration), metabase.xml and mbschema.xml.  The last two files contain the metabase data that is still used by some IIS services including SMTP and FTP, that have not been migrated to the new configuration system.  AppCmd only backs up the files that are there, so if you delete any of these files, and then make a backup, the backup will not contain the missing files. 

2) Managing existing backups

To list the backups that exist on the server, type in:

>AppCmd List Backup

This will list the backup objects, including their names that can be used to restore or delete them.  To delete any of these backups if its no longer needed, type in:

>AppCmd List Backup "BackupName"

3) Restoring a backup

To restore a backup, type in:

>AppCmd Restore Backup "BackupName"

This will stop IIS (equivalent to calling IISRESET.EXE /STOP), and overwrite the server's state with the files in the specified backup directory.  Then, IIS will be re-started (equivalent to calling IISRESET.EXE /START).

Managing IIS7 backups with AppCmd 

If you do no want AppCmd to stop IIS (which can take a while), and instead want to stop and start services yourself, you can include the /stop:false parameter.  Typically, only the IISADMIN service requires to be stopped so that the mbschema.xml file can be restored, if services like FTP or SMTP are being used.  Other files, including applicationHost.config and administration.config, are not locked by the configuration system so they can be restored without stopping IIS, and IIS components will pick up the changes.

I recommend that you make backups every time before making significant changes to the IIS7 configuration, which can save you a lot of time when something doesnt go as planned.  I've watched "AppCmd Restore Backup" come to the rescue more times then I can count, so its almost always the first thing that I do when I begin working with a new server, or help someone on the team investigate an issue.

In Windows Server "Longhorn" beta 3, we are adding a Configuration History service that automatically makes configuration backups every 2 minutes whenever configuration is changed.  This often eliminates the need to do manual backups, but not completely – often its desireable to make a backup at a specific point before making changes, so that that exact state is saved and can be restored at any point.  More info on the Configuration History service in a future post …

29 Comments

  1. Anonymous

    It would be nice if you could give it a target location to place the backup.  Reverse that, too, for restores.  A use-case: I setup a scheduled task to backup IIS7 to a UNC share.  

  2. Mike Volodarsky

    Matt,

    I agree that would be nice – unfortunately, it looks out of scope for the IIS7 release.

    In the meantime, you can you do the following in your scheduled task:

    1) AppCmd add backup
    2) xcopy %windir%system32inetsrvbackup
    UNClocation

    Be sure to secure the UNC location appropriately – the configuration file is backed up as is, without encryption (although the sensitive data like passwords in it should be encrypted as normal).

    Also, you will not be able to use this file to restore another machine on your network, unless the other machine has the same encryption keys as the one from which the file was backed up.

    Thanks,

    Mike

  3. Anonymous

    Is there any way to restore the default IIS7 settings? I don’t have a backup, I just want to get IIS7 was with its original installed settings, without having to reinstall Windows Vista. I tried uninstalling IIS, then reinstalling, but all of the settings were still there.

    I’m on Vista Ultimate 32-bit

  4. Mike Volodarsky

    Scott,

    Unfortunately, there is no easy way in Vista, although we are adding this in Vista SP1 and Longhorn server (it is there in SB3) via the configuration history service that will make an automatic backup when IIS is first installed, and then when configuration changes thereafter.

    On Vista, your best bet is to do the following: Uninstall the “Windows Activation Service” component together with IIS, and then reinstall both.

    Thanks,

    Mike

  5. Anonymous

    摘要
    本期共有8篇文章: ASP.NETAJAX文档更新、视频以及一些参考文章
    在ASP.NETAJAX中实现拖放功能
    使用来自于Codeplex的ASP.NETAJAXC…

  6. Anonymous

    Mike,

    Great article. I’m wondering if you could point me to any documentation on steps for backing up IIS7 configuration settings for restore on another server as a failover method. Is there something that can be done with the appcmd add backup command to export the required encryption keys, and import them on the new server?

    Thanks,
    Rich

  7. Mike Volodarsky

    Hi Jason,

    AppCmd backup and restore do work when shared configuration is used, however, they do not back up the actual configuration stored on a network share.

    Instead, they back up the redirection.config file that has the settings that control the location of the remote configuration, so that you can restore them later to point to the shared configuration.

    This is done to avoid issues where a restore operation on one server leads to loss/unintended modification of the shared configuration used by multiple web servers. When using shared configuration, modifications to the configuration files must be done in a centralized manner and make sure that all web servers are prepared to accept the new configuration (i.e. have all the modules installed, etc).

    Think of it this way: appcmd backup and restore works to safeguard the configuration of the local server only. Shared configuration itself does not belong to the server so it is not modified by those operations.

    Thanks,

    Mike

  8. Anonymous

    Hi,
    I’d like to know if you can tell me (or point me to examples) of how to use the appcmd to backup or export the configuration of just one site or just one virtual directory and then import that site or virtual directory on another IIS 7 server? I used to do this via GUI in IIS6 with the save configuration to file feature, but obviously that feature seems to be gone in IIS 7.
    I appreciate the info in your blog.
    Thanks,
    R Harris

  9. Anonymous

    I’m trying to run the command:
    “c:windowssystem32inetsrvappcmd add backup” and I get the error “Access is denied” — does anyone know how to get around this? Thanks!

  10. Anonymous

    In the article above, in #2, there seems to be a typo.

    >This will list the backup objects, including their
    >names that can be used to restore or delete them.
    >To delete any of these backups if its no longer
    >Needed, type in:
    >AppCmd List Backup “BackupName”

    Shouldn’t the command be
    AppCmd DELETE Backup “BackupName”??

  11. Anonymous

    Mike, would you please tell me:
    1. Does AppCmd backup include information about all websites configured on the server?
    2. You said: “you will not be able to use this file to restore another machine on your network, unless the other machine has the same encryption keys as the one from which the file was backed up.”
    In this case how would you suggest preparing for a disaster recovery if the original server is gone? In IIS6 you can easily restore a configuration file (from “Save Configuration to a file”) to another server.

    Thanks,
    Michael

  12. Anonymous

    Hi

    As Michael say “unless the other machine has the same encryption keys ”

    I tried to resotere my sites It gives error
    “ERROR ( hresult:80070426, message:Command execution failed.
    The service has not been started.
    ) ”

    In IIS i can see all sites with config but now error is that it says cant logon with supplied username & password.

    Password for old & new server is same & when I try to chnage password again it give same error no & say that bad config file

    Also As u written I install all custom modules which i installed in old server however I cant get clue from reading backup files that i missed any one .

    Can u help me to find the list of custom modules in config files ?

  13. Anonymous

    DiscountASP.NET is one of the partner hosting providers with whom we work closely to provide high value

  14. Anonymous

    Great article thanks!
    I am able to add and list but when I get to the point where I need to restore I keep getting an ‘Access is denied” message. Also I notice when i run the restore option it kills the ‘WWW Publishing Service’.
    Any ideas on what is happening or how to make this restore work correctly?
    Thanks

  15. Anonymous

    Hy, is there any way to backup a single site in iis 7? with appcmd I’m able to backup the entire configuartion with all the sites but only one of them is needed. Thx!

  16. Anonymous

    Hi Mike

    It is great that you give of your time to help people.

    Logged in on an account that is Administrator type in Vista Business SP2 and in the directory WindowsSystem32inetsrv when I try to run “appcmd.exe add backup” I get error 80070005 Access is denied.

    (The account is not named Administrator and when I try to add an account named Administrator it says one exists already. I can not see an account called Administrator in Control Panel>User Accounts>Manage Accounts and have struck problems before where the account David does not seem to have full Administrator privileges.)

    I can use the identical command on my 64 bit Windows Server 2008 R2 and it works fine.

    I have looked at the security permissions on the two different systems and they are identical for the two systems for the users SYSTEM and Administrators for the folders;

    inetsrv – full
    inetsrvbackup – full (although the ticks are grayed out on the Vista system)
    inetsrvconfig – full

    I also gave my account (David(OEM-PCOEM) which appears in the list full access for config .

    I suspect the account David may be the problem even though it is assigned Administrator type but this might be a red herring.

    Hoping that you can help please.

    Thank you

    David

  17. Komal

    Hello Mike,

    “iisreset” command fails and the error message is: The IIS admin service or the world wide web publishing service or a service dependent on them failed to start. The service or dependent services may had an error during its startup or may be disabled.

    What is the solution for this? As I have not taken any backup and there is important data which I can’t afford to lose.

    My entire software is stuck, I can’t login to my software as the Login and Password fields are automatically disabled with an error message popping “Server details are invalid”.

    Please provide me with a solution soon.

    Thanking you in advance!

  18. Hi, I need help about manage SSL binding from XML file

    Step by step:

    1. I can export a website from server 1 to an xml file
    2. I can import a website xml to server 2

    All information is ok, less the binding SSL information

    I have the correct SSL certificates installed and configured in both servers, but export file not show the name or id of ssl.

    Can you help me?

  19. jerry padilla

    Is there a way to know the date and time of one backup generated? If you add a backup with out a name, the name will be the date and time but if you typed a name, you don’t know the date unlees you remember it.

Leave a Reply

Your email address will not be published. Required fields are marked *